Edit tour

Windows Analysis Report
INQ_NO_097590_0109_Order.cmd

Overview

General Information

Sample name:	INQ_NO_097590_0109_Order.cmd
Analysis ID:	1634987
MD5:	ff2cc9cbc2026870c11dfe4e8fa8cf33
SHA1:	3ef20cfe67c03e51e63555e502417356d6164ede
SHA256:	ad2f6f346947b0ee1c6a2a0059052610b7cec2bef1556c3a6a6d4b69d3fe5dad
Tags:	cmduser-lowmal3
Infos:

Detection

DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7048 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 6208 cmdline: extrac32 /y "C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 6272 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 4902306896DFA6C4CD2A99137A9FA6B4)

cmd.exe (PID: 6120 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6543.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4580 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29023.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eygydoqJ.pif (PID: 5160 cmdline: C:\\Users\\user\\Links\eygydoqJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Jqodygye.PIF (PID: 7096 cmdline: "C:\Users\user\Links\Jqodygye.PIF" MD5: 4902306896DFA6C4CD2A99137A9FA6B4)

eygydoqJ.pif (PID: 7128 cmdline: C:\\Users\\user\\Links\eygydoqJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

Jqodygye.PIF (PID: 6308 cmdline: "C:\Users\user\Links\Jqodygye.PIF" MD5: 4902306896DFA6C4CD2A99137A9FA6B4)

eygydoqJ.pif (PID: 3552 cmdline: C:\\Users\\user\\Links\eygydoqJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2651d:$a1: get_encryptedPassword 0x53235:$a1: get_encryptedPassword 0x264f1:$a2: get_encryptedUsername 0x53209:$a2: get_encryptedUsername 0x265b5:$a3: get_timePasswordChanged 0x532cd:$a3: get_timePasswordChanged 0x264cd:$a4: get_passwordField 0x531e5:$a4: get_passwordField 0x26533:$a5: set_encryptedPassword 0x5324b:$a5: set_encryptedPassword 0x26300:$a7: get_logins 0x53018:$a7: get_logins 0x2588a:$a8: GetOutlookPasswords 0x525a2:$a8: GetOutlookPasswords 0x24d9e:$a9: StartKeylogger 0x51ab6:$a9: StartKeylogger 0x237f8:$a10: KeyLoggerEventArgs 0x50510:$a10: KeyLoggerEventArgs 0x237c7:$a11: KeyLoggerEventArgsEventHandler 0x504df:$a11: KeyLoggerEventArgsEventHandler 0x263d4:$a13: _encryptedPassword
00000008.00000001.898049041.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
00000003.00000002.917028152.000000000241E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2651d:$a1: get_encryptedPassword 0x53235:$a1: get_encryptedPassword 0x264f1:$a2: get_encryptedUsername 0x53209:$a2: get_encryptedUsername 0x265b5:$a3: get_timePasswordChanged 0x532cd:$a3: get_timePasswordChanged 0x264cd:$a4: get_passwordField 0x531e5:$a4: get_passwordField 0x26533:$a5: set_encryptedPassword 0x5324b:$a5: set_encryptedPassword 0x26300:$a7: get_logins 0x53018:$a7: get_logins 0x2588a:$a8: GetOutlookPasswords 0x525a2:$a8: GetOutlookPasswords 0x24d9e:$a9: StartKeylogger 0x51ab6:$a9: StartKeylogger 0x237f8:$a10: KeyLoggerEventArgs 0x50510:$a10: KeyLoggerEventArgs 0x237c7:$a11: KeyLoggerEventArgsEventHandler 0x504df:$a11: KeyLoggerEventArgsEventHandler 0x263d4:$a13: _encryptedPassword
0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
00000008.00000002.2129362086.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.2129374067.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2651d:$a1: get_encryptedPassword 0x53235:$a1: get_encryptedPassword 0x264f1:$a2: get_encryptedUsername 0x53209:$a2: get_encryptedUsername 0x265b5:$a3: get_timePasswordChanged 0x532cd:$a3: get_timePasswordChanged 0x264cd:$a4: get_passwordField 0x531e5:$a4: get_passwordField 0x26533:$a5: set_encryptedPassword 0x5324b:$a5: set_encryptedPassword 0x26300:$a7: get_logins 0x53018:$a7: get_logins 0x2588a:$a8: GetOutlookPasswords 0x525a2:$a8: GetOutlookPasswords 0x24d9e:$a9: StartKeylogger 0x51ab6:$a9: StartKeylogger 0x237f8:$a10: KeyLoggerEventArgs 0x50510:$a10: KeyLoggerEventArgs 0x237c7:$a11: KeyLoggerEventArgsEventHandler 0x504df:$a11: KeyLoggerEventArgsEventHandler 0x263d4:$a13: _encryptedPassword
0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x62d0b:$a1: get_encryptedPassword 0x62cdf:$a2: get_encryptedUsername 0x62da3:$a3: get_timePasswordChanged 0x62cbb:$a4: get_passwordField 0x62d21:$a5: set_encryptedPassword 0x62aee:$a7: get_logins 0x62078:$a8: GetOutlookPasswords 0x6158c:$a9: StartKeylogger 0x5ffe6:$a10: KeyLoggerEventArgs 0x5ffb5:$a11: KeyLoggerEventArgsEventHandler 0x62bc2:$a13: _encryptedPassword
0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2129300128.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21bb5:$a1: get_encryptedPassword 0x21b89:$a2: get_encryptedUsername 0x21c4d:$a3: get_timePasswordChanged 0x21b65:$a4: get_passwordField 0x21bcb:$a5: set_encryptedPassword 0x21998:$a7: get_logins 0x20f22:$a8: GetOutlookPasswords 0x20436:$a9: StartKeylogger 0x1ee90:$a10: KeyLoggerEventArgs 0x1ee5f:$a11: KeyLoggerEventArgsEventHandler 0x21a6c:$a13: _encryptedPassword
00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2193d:$a1: get_encryptedPassword 0x21911:$a2: get_encryptedUsername 0x219d5:$a3: get_timePasswordChanged 0x218ed:$a4: get_passwordField 0x21953:$a5: set_encryptedPassword 0x21720:$a7: get_logins 0x20caa:$a8: GetOutlookPasswords 0x201be:$a9: StartKeylogger 0x1ec18:$a10: KeyLoggerEventArgs 0x1ebe7:$a11: KeyLoggerEventArgsEventHandler 0x217f4:$a13: _encryptedPassword
00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x62d0b:$a1: get_encryptedPassword 0x62cdf:$a2: get_encryptedUsername 0x62da3:$a3: get_timePasswordChanged 0x62cbb:$a4: get_passwordField 0x62d21:$a5: set_encryptedPassword 0x62aee:$a7: get_logins 0x62078:$a8: GetOutlookPasswords 0x6158c:$a9: StartKeylogger 0x5ffe6:$a10: KeyLoggerEventArgs 0x5ffb5:$a11: KeyLoggerEventArgsEventHandler 0x62bc2:$a13: _encryptedPassword
0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x62d0b:$a1: get_encryptedPassword 0x62cdf:$a2: get_encryptedUsername 0x62da3:$a3: get_timePasswordChanged 0x62cbb:$a4: get_passwordField 0x62d21:$a5: set_encryptedPassword 0x62aee:$a7: get_logins 0x62078:$a8: GetOutlookPasswords 0x6158c:$a9: StartKeylogger 0x5ffe6:$a10: KeyLoggerEventArgs 0x5ffb5:$a11: KeyLoggerEventArgsEventHandler 0x62bc2:$a13: _encryptedPassword
0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: x.exe PID: 6272	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: eygydoqJ.pif PID: 5160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 5160	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: eygydoqJ.pif PID: 5160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 5160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc006:$a1: get_encryptedPassword 0x813ea:$a1: get_encryptedPassword 0xadb04:$a1: get_encryptedPassword 0xc616f:$a1: get_encryptedPassword 0xefa75:$a1: get_encryptedPassword 0xbfda:$a2: get_encryptedUsername 0x813be:$a2: get_encryptedUsername 0xadad8:$a2: get_encryptedUsername 0xc6143:$a2: get_encryptedUsername 0xefa49:$a2: get_encryptedUsername 0xc09e:$a3: get_timePasswordChanged 0x81482:$a3: get_timePasswordChanged 0xadb9c:$a3: get_timePasswordChanged 0xc6207:$a3: get_timePasswordChanged 0xefb0d:$a3: get_timePasswordChanged 0xbfb6:$a4: get_passwordField 0x8139a:$a4: get_passwordField 0xadab4:$a4: get_passwordField 0xc611f:$a4: get_passwordField 0xefa25:$a4: get_passwordField 0xc01c:$a5: set_encryptedPassword
Process Memory Space: eygydoqJ.pif PID: 7128	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 7128	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: eygydoqJ.pif PID: 7128	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 7128	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdf26:$a1: get_encryptedPassword 0x1971f:$a1: get_encryptedPassword 0x3ddb2:$a1: get_encryptedPassword 0x4ab43:$a1: get_encryptedPassword 0xdefa:$a2: get_encryptedUsername 0x196f3:$a2: get_encryptedUsername 0x3dd86:$a2: get_encryptedUsername 0x4ab17:$a2: get_encryptedUsername 0xdfbe:$a3: get_timePasswordChanged 0x197b7:$a3: get_timePasswordChanged 0x3de4a:$a3: get_timePasswordChanged 0x4abdb:$a3: get_timePasswordChanged 0xded6:$a4: get_passwordField 0x196cf:$a4: get_passwordField 0x3dd62:$a4: get_passwordField 0x4aaf3:$a4: get_passwordField 0xdf3c:$a5: set_encryptedPassword 0x19735:$a5: set_encryptedPassword 0x3ddc8:$a5: set_encryptedPassword 0x4ab59:$a5: set_encryptedPassword 0xdd12:$a7: get_logins
Process Memory Space: eygydoqJ.pif PID: 3552	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 3552	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: eygydoqJ.pif PID: 3552	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eygydoqJ.pif PID: 3552	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23927:$a1: get_encryptedPassword 0x35252:$a1: get_encryptedPassword 0x958f6:$a1: get_encryptedPassword 0xc187c:$a1: get_encryptedPassword 0xd7353:$a1: get_encryptedPassword 0x238fb:$a2: get_encryptedUsername 0x35226:$a2: get_encryptedUsername 0x958ca:$a2: get_encryptedUsername 0xc1850:$a2: get_encryptedUsername 0xd7327:$a2: get_encryptedUsername 0x239bf:$a3: get_timePasswordChanged 0x352ea:$a3: get_timePasswordChanged 0x9598e:$a3: get_timePasswordChanged 0xc1914:$a3: get_timePasswordChanged 0xd73eb:$a3: get_timePasswordChanged 0x238d7:$a4: get_passwordField 0x35202:$a4: get_passwordField 0x958a6:$a4: get_passwordField 0xc182c:$a4: get_passwordField 0xd7303:$a4: get_passwordField 0x2393d:$a5: set_encryptedPassword
Click to see the 72 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.eygydoqJ.pif.1cc20000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
8.2.eygydoqJ.pif.43d038.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x344b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x34b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1cc20f08.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.1.eygydoqJ.pif.4e68c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1dec3190.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f4e0000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20563190.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20563190.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20563190.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20563190.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.22120000.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.22120000.10.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.22120000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.22120000.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1a350f08.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.1.eygydoqJ.pif.4e68c8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20535570.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20535570.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20535570.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20535570.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
8.2.eygydoqJ.pif.475468.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.1.eygydoqJ.pif.475468.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.43d038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x554e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x384b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x38b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x571ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x56e00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x562b8:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1a500000.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a500000.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a500000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a500000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.1.eygydoqJ.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1a086c66.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
8.1.eygydoqJ.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1a086c66.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a086c66.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20535570.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20535570.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20535570.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20535570.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x4ecc5:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x4ec99:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x4ed5d:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x4ec75:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x4ecdb:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x4eaa8:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x4e032:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x4d546:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x4bfa0:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x4bf6f:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
3.2.x.exe.241e118.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
10.2.eygydoqJ.pif.22120000.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.22120000.10.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.22120000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.22120000.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.4e68c8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.3.eygydoqJ.pif.185de898.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.3.eygydoqJ.pif.185de898.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.3.eygydoqJ.pif.185de898.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.3.eygydoqJ.pif.185de898.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20536478.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20536478.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20536478.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20536478.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1b5d3190.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1de96478.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1de96478.10.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1de96478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1de96478.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x4ddbd:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x4dd91:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x4de55:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x4dd6d:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x4ddd3:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x4dba0:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x4d12a:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x4c63e:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x4b098:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x4b067:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1a350f08.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a350f08.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1cb75d5e.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1cb76c66.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cb76c66.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1cd40000.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f4e0f08.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f4e0f08.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f4e0f08.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f4e0f08.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f2f6c66.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f2f6c66.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1de96478.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1de96478.10.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1de96478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1de96478.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1cd40000.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cd40000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.x.exe.212af7a8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x554e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x384b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x38b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x571ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x56e00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x562b8:$s6: constructor or from DllMain.
3.2.x.exe.212af7a8.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x344b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x34b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1de95570.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1de95570.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1de95570.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1de95570.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
3.2.x.exe.212e7bd8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1a350000.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a350000.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a350000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a350000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f2f5d5e.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1a085d5e.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a085d5e.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1cc20000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cc20000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20563190.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20563190.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20563190.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20563190.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.4e68c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x4ecc5:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x4ec99:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x4ed5d:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x4ec75:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x4ecdb:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x4eaa8:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x4e032:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x4d546:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x4bfa0:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x4bf6f:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
3.2.x.exe.2a50000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
8.2.eygydoqJ.pif.1de95570.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1de95570.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1de95570.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1de95570.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x4ecc5:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x4ec99:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x4ed5d:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x4ec75:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x4ecdb:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x4eaa8:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x4e032:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x4d546:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x4bfa0:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x4bf6f:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x4ddbd:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x4dd91:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x4de55:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x4dd6d:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x4ddd3:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x4dba0:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x4d12a:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x4c63e:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x4b098:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x4b067:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1a350000.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a350000.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a350000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a350000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1b5a5570.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5a5570.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x201ad:$a1: get_encryptedPassword 0x20181:$a2: get_encryptedUsername 0x20245:$a3: get_timePasswordChanged 0x2015d:$a4: get_passwordField 0x201c3:$a5: set_encryptedPassword 0x1ff90:$a7: get_logins 0x1f51a:$a8: GetOutlookPasswords 0x1ea2e:$a9: StartKeylogger 0x1d488:$a10: KeyLoggerEventArgs 0x1d457:$a11: KeyLoggerEventArgsEventHandler 0x20064:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
13.2.eygydoqJ.pif.1a500000.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1a500000.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1a500000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1a500000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.43d038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xc6940:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xa9910:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0xa9f90:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xc861a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xc8260:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xc7718:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
13.3.eygydoqJ.pif.185de898.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.3.eygydoqJ.pif.185de898.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.3.eygydoqJ.pif.185de898.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21fad:$a1: get_encryptedPassword 0x21f81:$a2: get_encryptedUsername 0x22045:$a3: get_timePasswordChanged 0x21f5d:$a4: get_passwordField 0x21fc3:$a5: set_encryptedPassword 0x21d90:$a7: get_logins 0x2131a:$a8: GetOutlookPasswords 0x2082e:$a9: StartKeylogger 0x1f288:$a10: KeyLoggerEventArgs 0x1f257:$a11: KeyLoggerEventArgsEventHandler 0x21e64:$a13: _encryptedPassword
13.3.eygydoqJ.pif.185de898.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
8.3.eygydoqJ.pif.1afb7b10.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.3.eygydoqJ.pif.1afb7b10.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.eygydoqJ.pif.1b5a6478.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f2a5:$a1: get_encryptedPassword 0x1f279:$a2: get_encryptedUsername 0x1f33d:$a3: get_timePasswordChanged 0x1f255:$a4: get_passwordField 0x1f2bb:$a5: set_encryptedPassword 0x1f088:$a7: get_logins 0x1e612:$a8: GetOutlookPasswords 0x1db26:$a9: StartKeylogger 0x1c580:$a10: KeyLoggerEventArgs 0x1c54f:$a11: KeyLoggerEventArgsEventHandler 0x1f15c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.20536478.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.eygydoqJ.pif.20536478.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.eygydoqJ.pif.20536478.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.eygydoqJ.pif.20536478.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x4ddbd:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x4dd91:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x4de55:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x4dd6d:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x4ddd3:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x4dba0:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x4d12a:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x4c63e:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x4b098:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x4b067:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
8.1.eygydoqJ.pif.43d038.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x344b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x34b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1dec3190.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1dec3190.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
10.2.eygydoqJ.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.1.eygydoqJ.pif.43d038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x554e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x384b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x38b30:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x571ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x56e00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x562b8:$s6: constructor or from DllMain.
9.2.Jqodygye.PIF.2100e348.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xa9910:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x210a5:$a1: get_encryptedPassword 0x21079:$a2: get_encryptedUsername 0x2113d:$a3: get_timePasswordChanged 0x21055:$a4: get_passwordField 0x210bb:$a5: set_encryptedPassword 0x20e88:$a7: get_logins 0x20412:$a8: GetOutlookPasswords 0x1f926:$a9: StartKeylogger 0x1e380:$a10: KeyLoggerEventArgs 0x1e34f:$a11: KeyLoggerEventArgsEventHandler 0x20f5c:$a13: _encryptedPassword
3.2.x.exe.241e118.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
13.1.eygydoqJ.pif.43d038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xc6940:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xa9910:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0xa9f90:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xc861a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xc8260:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xc7718:$s6: constructor or from DllMain.
13.2.eygydoqJ.pif.43d038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xc6940:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xa9910:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0xa9f90:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xc861a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xc8260:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xc7718:$s6: constructor or from DllMain.
10.1.eygydoqJ.pif.43d038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xc6940:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xa9910:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0xa9f90:$s3: 83 EC 38 53 B0 79 88 44 24 2B 88 44 24 2F B0 09 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xc861a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xc8260:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xc7718:$s6: constructor or from DllMain.
Click to see the 232 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6272, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Jqodygye.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 6272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jqodygye

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\eygydoqJ.pif, CommandLine: C:\\Users\\user\\Links\eygydoqJ.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\eygydoqJ.pif, NewProcessName: C:\Users\user\Links\eygydoqJ.pif, OriginalFileName: C:\Users\user\Links\eygydoqJ.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 6272, ParentProcessName: x.exe, ProcessCommandLine: C:\\Users\\user\\Links\eygydoqJ.pif, ProcessId: 5160, ProcessName: eygydoqJ.pif

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T08:50:45.866973+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49683	193.122.6.168	80	TCP
2025-03-11T08:50:59.807285+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49686	193.122.6.168	80	TCP
2025-03-11T08:51:09.600634+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49692	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: INQ_NO_097590_0109_Order.cmd

ReversingLabs: Detection: 15%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 8.2.eygydoqJ.pif.400000.0.unpack
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 10.2.eygydoqJ.pif.400000.2.unpack
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 13.2.eygydoqJ.pif.400000.1.unpack

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49693 version: TLS 1.0

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000002.939424822.000000002074F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.890908839.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: eygydoqJ.pif, 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000003.1071748715.000000001D53B000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.939424822.000000002074F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.890908839.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891791710.0000000000821000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.891791710.00000000007F9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

3_2_02A552F8

Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_1AF4E2A8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 1FBBAED5h	8_2_1FBBAB30
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 20689F2Fh	8_2_20689B08
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068BBDCh	8_2_2068B840
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206898DDh	8_2_20689540
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 20688D4Dh	8_2_206889B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068CD1Ch	8_2_2068C980
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068AB0Ah	8_2_2068AA60
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206881BDh	8_2_20687E20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068AB0Ah	8_2_2068AA27
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068C19Ch	8_2_2068BE00
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068B61Ch	8_2_2068B280
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 20689315h	8_2_20688F78
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068D2DCh	8_2_2068CF40
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 20688785h	8_2_206883E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2068C75Ch	8_2_2068C3C0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206AB300h	8_2_206AB0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206ABDF4h	8_2_206AB0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A93B4h	8_2_206A9018
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A6477h	8_2_206A60D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A3C2Ch	8_2_206A3890
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A7CB4h	8_2_206A7918
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A4D6Ch	8_2_206A49D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A252Ch	8_2_206A2190
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A8DF4h	8_2_206A8A58
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A366Ch	8_2_206A32D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A76F4h	8_2_206A7358
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A5EACh	8_2_206A5B10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A1F6Ch	8_2_206A1BD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A9F34h	8_2_206A9B98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A47ACh	8_2_206A4410
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_206AA415
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A8834h	8_2_206A8498
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A58ECh	8_2_206A5550
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A30ACh	8_2_206A2D10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A9974h	8_2_206A95D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A7134h	8_2_206A6D98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A41ECh	8_2_206A3E50
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A19ACh	8_2_206A1610
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A8274h	8_2_206A7ED8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A2AECh	8_2_206A2750
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov esp, ebp	8_2_206ADF28
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A6B74h	8_2_206A67D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov esp, ebp	8_2_206ADFDC
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 206A532Ch	8_2_206A4F90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_2098E1A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	8_2_2098A524
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	10_2_1F18E2A8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 2234AED5h	10_2_2234AB30
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E19F2Fh	10_2_22E19B08
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1B61Ch	10_2_22E1B280
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1AB0Ah	10_2_22E1AA60
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E181BDh	10_2_22E17E20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1AB0Ah	10_2_22E1AA27
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1C19Ch	10_2_22E1BE00
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E18785h	10_2_22E183E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1C75Ch	10_2_22E1C3C0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E19315h	10_2_22E18F78
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1D2DCh	10_2_22E1CF40
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1BBDCh	10_2_22E1B840
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E18D4Dh	10_2_22E189B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E1CD1Ch	10_2_22E1C980
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E198DDh	10_2_22E19540
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E3B300h	10_2_22E3B0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E3BDF4h	10_2_22E3B0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E3366Ch	10_2_22E332D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E38DF4h	10_2_22E38A58
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E31F6Ch	10_2_22E31BD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_22E3ABD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E39F34h	10_2_22E39B98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E376F4h	10_2_22E37358
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E35EACh	10_2_22E35B10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E36477h	10_2_22E360D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E33C2Ch	10_2_22E33890
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E393B4h	10_2_22E39018
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E34D6Ch	10_2_22E349D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E3252Ch	10_2_22E32190
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E37CB4h	10_2_22E37918
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E38274h	10_2_22E37ED8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E341ECh	10_2_22E33E50
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E319ACh	10_2_22E31610
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E36B74h	10_2_22E367D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov esp, ebp	10_2_22E3DFDC
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E3532Ch	10_2_22E34F90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E32AECh	10_2_22E32750
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov esp, ebp	10_2_22E3DF28
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E38834h	10_2_22E38498
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_22E3A409
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E347ACh	10_2_22E34410
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_22E3ADD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E39974h	10_2_22E395D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E37134h	10_2_22E36D98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E358ECh	10_2_22E35550
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then jmp 22E330ACh	10_2_22E32D10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_2311E1A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	10_2_2311A524

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49692 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49683 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49686 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49693 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF78000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F616000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/h
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/p
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CFA0000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F63E000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A6AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x.exe, 00000003.00000002.915615978.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.939424822.000000002074F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.945154235.0000000020FA0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EC1B000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.890908839.000000007ED2B000.00000004.00001000.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000000.896676478.0000000000416000.00000002.00000001.01000000.00000006.sdmp, eygydoqJ.pif, 0000000A.00000000.1032696037.0000000000416000.00000002.00000001.01000000.00000006.sdmp, eygydoqJ.pif, 0000000D.00000000.1113523252.0000000000416000.00000002.00000001.01000000.00000006.sdmp, eygydoqJ.pif.3.dr	String found in binary or memory: http://www.pmail.com
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001CF84000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F622000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2154018283.000000001A692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: Yara match

File source: Process Memory Space: x.exe PID: 6272, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.43d038.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.1.eygydoqJ.pif.4e68c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.1.eygydoqJ.pif.4e68c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.475468.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.1.eygydoqJ.pif.475468.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.43d038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.1.eygydoqJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.1.eygydoqJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.4e68c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.212af7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.212af7a8.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.x.exe.212e7bd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.4e68c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.43d038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.1.eygydoqJ.pif.43d038.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.eygydoqJ.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.1.eygydoqJ.pif.43d038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Jqodygye.PIF.2100e348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.1.eygydoqJ.pif.43d038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.eygydoqJ.pif.43d038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.1.eygydoqJ.pif.43d038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000001.898049041.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2129362086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.2129374067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2129300128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A6421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_02A6421C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63380 NtWriteVirtualMemory,	3_2_02A63380
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63034 NtAllocateVirtualMemory,	3_2_02A63034
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A69654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	3_2_02A69654
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A69738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	3_2_02A69738
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A695CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_02A695CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63B44 NtUnmapViewOfSection,	3_2_02A63B44
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A638D4 NtReadVirtualMemory,	3_2_02A638D4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A6421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_02A6421A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63032 NtAllocateVirtualMemory,	3_2_02A63032
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A69578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_02A69578
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_029B421C
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B3380 NtWriteVirtualMemory,	9_2_029B3380
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B3B44 NtUnmapViewOfSection,	9_2_029B3B44
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B38D4 NtReadVirtualMemory,	9_2_029B38D4
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B3034 NtAllocateVirtualMemory,	9_2_029B3034
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	9_2_029B9738
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_029B421A
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B3BD0 NtUnmapViewOfSection,	9_2_029B3BD0
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B9809 NtQueryInformationFile,NtReadFile,NtClose,	9_2_029B9809
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B3032 NtAllocateVirtualMemory,	9_2_029B3032
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B396E NtReadVirtualMemory,	9_2_029B396E
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B9654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	9_2_029B9654
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B341B NtWriteVirtualMemory,	9_2_029B341B
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_029B95CC
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029B9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_029B9578
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	12_2_02AB421C
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB3380 NtWriteVirtualMemory,	12_2_02AB3380
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB3B44 NtUnmapViewOfSection,	12_2_02AB3B44
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB38D4 NtReadVirtualMemory,	12_2_02AB38D4
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB3034 NtAllocateVirtualMemory,	12_2_02AB3034
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	12_2_02AB9738
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	12_2_02AB421A
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB3BD0 NtUnmapViewOfSection,	12_2_02AB3BD0
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB3032 NtAllocateVirtualMemory,	12_2_02AB3032
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB9809 NtQueryInformationFile,NtReadFile,NtClose,	12_2_02AB9809
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB396E NtReadVirtualMemory,	12_2_02AB396E
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB9654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	12_2_02AB9654
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB341B NtWriteVirtualMemory,	12_2_02AB341B
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_02AB95CC
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AB9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	12_2_02AB9578

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A6A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

3_2_02A6A634

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A520B4	3_2_02A520B4
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00418244	8_2_00418244
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00401650	8_2_00401650
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00418788	8_2_00418788
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1AF40F20	8_2_1AF40F20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1AF40F1B	8_2_1AF40F1B
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1AF415C3	8_2_1AF415C3
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1AF415C8	8_2_1AF415C8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1FBBD988	8_2_1FBBD988
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1FBBAB30	8_2_1FBBAB30
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1FBB4130	8_2_1FBB4130
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1FBB003D	8_2_1FBB003D
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_1FBB0040	8_2_1FBB0040
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20680040	8_2_20680040
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20684570	8_2_20684570
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068D500	8_2_2068D500
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068A2B8	8_2_2068A2B8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20689B08	8_2_20689B08
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20684B9D	8_2_20684B9D
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068B840	8_2_2068B840
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20680028	8_2_20680028
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20684561	8_2_20684561
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20689540	8_2_20689540
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206889B0	8_2_206889B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068A1B7	8_2_2068A1B7
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068C980	8_2_2068C980
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20687E20	8_2_20687E20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068A239	8_2_2068A239
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068BE00	8_2_2068BE00
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20689AF8	8_2_20689AF8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068B280	8_2_2068B280
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20688F78	8_2_20688F78
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068CF40	8_2_2068CF40
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20684350	8_2_20684350
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206883E8	8_2_206883E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2068C3C0	8_2_2068C3C0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20683BA9	8_2_20683BA9
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20683BB8	8_2_20683BB8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AB0F8	8_2_206AB0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AD0B0	8_2_206AD0B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AC9C8	8_2_206AC9C8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AC2E0	8_2_206AC2E0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AD798	8_2_206AD798
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A9018	8_2_206A9018
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AB0E8	8_2_206AB0E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A60D0	8_2_206A60D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AD0A0	8_2_206AD0A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A3890	8_2_206A3890
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A7908	8_2_206A7908
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A7918	8_2_206A7918
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AC9C7	8_2_206AC9C7
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A49D0	8_2_206A49D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A2190	8_2_206A2190
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A8A58	8_2_206A8A58
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AC2D2	8_2_206AC2D2
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A32D0	8_2_206A32D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A7358	8_2_206A7358
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A5B10	8_2_206A5B10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A1BD0	8_2_206A1BD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A9B98	8_2_206A9B98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A4410	8_2_206A4410
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AA415	8_2_206AA415
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A1489	8_2_206A1489
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A8498	8_2_206A8498
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A5550	8_2_206A5550
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A2D05	8_2_206A2D05
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A2D10	8_2_206A2D10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A95D8	8_2_206A95D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A6D98	8_2_206A6D98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A3E50	8_2_206A3E50
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A1610	8_2_206A1610
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A7ED8	8_2_206A7ED8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A2745	8_2_206A2745
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A2750	8_2_206A2750
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A67D8	8_2_206A67D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206A4F90	8_2_206A4F90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_206AD797	8_2_206AD797
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20988948	8_2_20988948
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2098856C	8_2_2098856C
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_2098B6E0	8_2_2098B6E0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_20A92818	8_2_20A92818
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00408C60	8_1_00408C60
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_0040DC11	8_1_0040DC11
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00407C3F	8_1_00407C3F
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00418CCC	8_1_00418CCC
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00406CA0	8_1_00406CA0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_004028B0	8_1_004028B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_0041A4BE	8_1_0041A4BE
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00418244	8_1_00418244
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00401650	8_1_00401650
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00402F20	8_1_00402F20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_004193C4	8_1_004193C4
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00418788	8_1_00418788
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00402F89	8_1_00402F89
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00402B90	8_1_00402B90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_004073A0	8_1_004073A0
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 9_2_029A20B4	9_2_029A20B4
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00418244	10_2_00418244
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00401650	10_2_00401650
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_004193C4	10_2_004193C4
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00418788	10_2_00418788
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_1F180F11	10_2_1F180F11
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_1F180F20	10_2_1F180F20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_1F1815B8	10_2_1F1815B8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_1F1815C8	10_2_1F1815C8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_2234AB30	10_2_2234AB30
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22340006	10_2_22340006
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22340040	10_2_22340040
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22344130	10_2_22344130
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22345DDD	10_2_22345DDD
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1A2B8	10_2_22E1A2B8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1F728	10_2_22E1F728
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E19B08	10_2_22E19B08
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E10040	10_2_22E10040
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E14570	10_2_22E14570
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1D500	10_2_22E1D500
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E19AF8	10_2_22E19AF8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1B280	10_2_22E1B280
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E17E20	10_2_22E17E20
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1BE00	10_2_22E1BE00
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E17E10	10_2_22E17E10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E183E8	10_2_22E183E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1C3C0	10_2_22E1C3C0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E183D8	10_2_22E183D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1C3B0	10_2_22E1C3B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E13BB8	10_2_22E13BB8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E18F68	10_2_22E18F68
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E18F78	10_2_22E18F78
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1CF40	10_2_22E1CF40
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E14350	10_2_22E14350
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1CF32	10_2_22E1CF32
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1B840	10_2_22E1B840
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1B830	10_2_22E1B830
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1BDF0	10_2_22E1BDF0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E189A0	10_2_22E189A0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E189B0	10_2_22E189B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1C980	10_2_22E1C980
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E14561	10_2_22E14561
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E1C970	10_2_22E1C970
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E19540	10_2_22E19540
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E19531	10_2_22E19531
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3C2E0	10_2_22E3C2E0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3B0F8	10_2_22E3B0F8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3D0B0	10_2_22E3D0B0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3C9C8	10_2_22E3C9C8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3D798	10_2_22E3D798
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E332D0	10_2_22E332D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3C2D0	10_2_22E3C2D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E38A58	10_2_22E38A58
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E31BD0	10_2_22E31BD0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E39B98	10_2_22E39B98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E37358	10_2_22E37358
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E35B03	10_2_22E35B03
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E35B10	10_2_22E35B10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3B0E8	10_2_22E3B0E8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E360D0	10_2_22E360D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3D0A7	10_2_22E3D0A7
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E33890	10_2_22E33890
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E39018	10_2_22E39018
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E349D0	10_2_22E349D0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3C9BB	10_2_22E3C9BB
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32180	10_2_22E32180
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32190	10_2_22E32190
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E37908	10_2_22E37908
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E37918	10_2_22E37918
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E37ED8	10_2_22E37ED8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E33E50	10_2_22E33E50
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E31610	10_2_22E31610
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E367D8	10_2_22E367D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3D793	10_2_22E3D793
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E34F90	10_2_22E34F90
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32740	10_2_22E32740
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32750	10_2_22E32750
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E31489	10_2_22E31489
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E38498	10_2_22E38498
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E3A409	10_2_22E3A409
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E34410	10_2_22E34410
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E395D8	10_2_22E395D8
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E36D98	10_2_22E36D98
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E35550	10_2_22E35550
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32D01	10_2_22E32D01
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_22E32D10	10_2_22E32D10
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_23118948	10_2_23118948
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_2311856C	10_2_2311856C
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_2311B6E0	10_2_2311B6E0
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_23222818	10_2_23222818
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: 12_2_02AA20B4	12_2_02AA20B4

Source: Joe Sandbox View

Dropped File: C:\Users\user\Links\eygydoqJ.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Links\eygydoqJ.pif	Code function: String function: 0040D606 appears 78 times
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: String function: 0040E1D8 appears 120 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A63E9C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A54414 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A63E20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A5421C appears 64 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A5457C appears 835 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 02AA457C appears 570 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 029A4414 appears 154 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 02AA4414 appears 154 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 029A457C appears 570 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 029B3E20 appears 48 times
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: String function: 02AB3E20 appears 48 times

Source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.43d038.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.1.eygydoqJ.pif.4e68c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.1.eygydoqJ.pif.4e68c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.475468.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.1.eygydoqJ.pif.475468.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.43d038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.1.eygydoqJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.1.eygydoqJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.4e68c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.212af7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.212af7a8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.x.exe.212e7bd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.4e68c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.43d038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.1.eygydoqJ.pif.43d038.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.eygydoqJ.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.1.eygydoqJ.pif.43d038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Jqodygye.PIF.2100e348.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.1.eygydoqJ.pif.43d038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.eygydoqJ.pif.43d038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.1.eygydoqJ.pif.43d038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000001.898049041.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2129362086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.2129374067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2129300128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winCMD@22/7@2/2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A5793C GetDiskFreeSpaceA,

3_2_02A5793C

Source: C:\Users\user\Links\eygydoqJ.pif

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

8_2_004019F0

Source: C:\Users\user\Links\eygydoqJ.pif

8_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\All Users\6543.cmd

Jump to behavior

Source: C:\Users\user\Links\eygydoqJ.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB06208.TMP

Jump to behavior

Source: C:\Users\user\Links\eygydoqJ.pif	Command line argument: 08A	8_2_00413780
Source: C:\Users\user\Links\eygydoqJ.pif	Command line argument: 08A	8_2_00413780
Source: C:\Users\user\Links\eygydoqJ.pif	Command line argument: 08A	8_1_00413780
Source: C:\Users\user\Links\eygydoqJ.pif	Command line argument: 08A	10_2_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eygydoqJ.pif, 00000008.00000002.2152547309.000000001D016000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001D022000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2157856719.000000001DF17000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001D001000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001CFE3000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2152547309.000000001CFF3000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F6B4000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F6C0000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2159042614.00000000205B7000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F691000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2154552207.000000001F681000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: INQ_NO_097590_0109_Order.cmd

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6543.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29023.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif
Source: unknown	Process created: C:\Users\user\Links\Jqodygye.PIF "C:\Users\user\Links\Jqodygye.PIF"
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif
Source: unknown	Process created: C:\Users\user\Links\Jqodygye.PIF "C:\Users\user\Links\Jqodygye.PIF"
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\6543.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\29023.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: wldp.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: amsi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: userenv.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: profapi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: version.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasapi32.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasman.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rtutils.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mswsock.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winhttp.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: winnsi.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: secur32.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: sspicli.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: schannel.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ntasn1.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncrypt.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Links\eygydoqJ.pif	Section loaded: dpapi.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Links\eygydoqJ.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: INQ_NO_097590_0109_Order.cmd

Static file information: File size 1949291 > 1048576

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000002.939424822.000000002074F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.890908839.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: eygydoqJ.pif, 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000003.1071748715.000000001D53B000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.939424822.000000002074F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.890908839.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891371495.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.891791710.0000000000821000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.891791710.00000000007F9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 8.2.eygydoqJ.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 10.2.eygydoqJ.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 13.2.eygydoqJ.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 8.2.eygydoqJ.pif.400000.0.unpack
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 10.2.eygydoqJ.pif.400000.2.unpack
Source: C:\Users\user\Links\eygydoqJ.pif	Unpacked PE file: 13.2.eygydoqJ.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 3.2.x.exe.241e118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.2a50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.241e118.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.917028152.000000000241E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: eygydoqJ.pif.3.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_02A63E20

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A762A4 push 02A7630Fh; ret	3_2_02A76307
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A53210 push eax; ret	3_2_02A5324C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A760AC push 02A76125h; ret	3_2_02A7611D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A6A018 push ecx; mov dword ptr [esp], edx	3_2_02A6A01D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A6606C push 02A660A4h; ret	3_2_02A6609C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A761F8 push 02A76288h; ret	3_2_02A76280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5C1C6 push 02A5C61Eh; ret	3_2_02A5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5617C push 02A561BEh; ret	3_2_02A561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5617A push 02A561BEh; ret	3_2_02A561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A76144 push 02A761ECh; ret	3_2_02A761E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5F600 push 02A5F64Dh; ret	3_2_02A5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5C498 push 02A5C61Eh; ret	3_2_02A5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5F4F4 push 02A5F56Ah; ret	3_2_02A5F562
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A62410 push ecx; mov dword ptr [esp], edx	3_2_02A62412
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5F5FF push 02A5F64Dh; ret	3_2_02A5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A75854 push 02A75A3Ah; ret	3_2_02A75A32
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A62EDC push 02A62F87h; ret	3_2_02A62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A62EDA push 02A62F87h; ret	3_2_02A62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5BE18 push ecx; mov dword ptr [esp], edx	3_2_02A5BE1D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A69FB4 push ecx; mov dword ptr [esp], edx	3_2_02A69FB9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63F84 push 02A63FBCh; ret	3_2_02A63FB4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A55DA0 push 02A55DFBh; ret	3_2_02A55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A55D9E push 02A55DFBh; ret	3_2_02A55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A5CDE0 push 02A5CE0Ch; ret	3_2_02A5CE04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_02A63D40 push 02A63D82h; ret	3_2_02A63D7A
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0041C40C push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00423149 push eax; ret	8_2_00423179
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0041C50E push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_004231C8 push eax; ret	8_2_00423179
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0040E21D push ecx; ret	8_2_0040E230
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0041C6BE push ebx; ret	8_2_0041C6BF

Source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LThgEol63qLNG', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\eygydoqJ.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Jqodygye.PIF			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\eygydoqJ.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Jqodygye.PIF	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jqodygye			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jqodygye			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A664E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_02A664E4

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\eygydoqJ.pif	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1CE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1CCA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1F180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1F530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 21530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 19F60000 memory reserve \| memory write watch
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1A5A0000 memory reserve \| memory write watch
Source: C:\Users\user\Links\eygydoqJ.pif	Memory allocated: 1A130000 memory reserve \| memory write watch

Source: C:\Users\user\Links\eygydoqJ.pif

8_2_004019F0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

3_2_02A552F8

Source: Jqodygye.PIF, 0000000C.00000002.1114654859.00000000008B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: eygydoqJ.pif, 0000000D.00000002.2149349570.00000000185F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: x.exe, 00000003.00000002.915615978.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 00000008.00000002.2150009137.000000001AFA4000.00000004.00000020.00020000.00000000.sdmp, Jqodygye.PIF, 00000009.00000002.1034299829.0000000000711000.00000004.00000020.00020000.00000000.sdmp, eygydoqJ.pif, 0000000A.00000002.2149167564.000000001D525000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node	graph_3-22894
Source: C:\Users\user\Links\eygydoqJ.pif	API call chain: ExitProcess graph end node	graph_8-50691
Source: C:\Users\user\Links\Jqodygye.PIF	API call chain: ExitProcess graph end node	graph_9-24720
Source: C:\Users\user\Links\eygydoqJ.pif	API call chain: ExitProcess graph end node
Source: C:\Users\user\Links\Jqodygye.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\Links\eygydoqJ.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A6A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

3_2_02A6A5B0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Links\eygydoqJ.pif

Code function: 8_2_20684570 LdrInitializeThunk,LdrInitializeThunk,

8_2_20684570

Source: C:\Users\user\Links\eygydoqJ.pif

Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0040CE09

Source: C:\Users\user\Links\eygydoqJ.pif

8_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_02A63E20

Source: C:\Users\user\Links\eygydoqJ.pif

Code function: 8_2_0040ADB0 GetProcessHeap,HeapFree,

8_2_0040ADB0

Source: C:\Users\user\Links\eygydoqJ.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00416F6A
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,	8_2_004123F1
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_1_0040CE09
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_1_0040E61C
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_1_00416F6A
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 8_1_004123F1 SetUnhandledExceptionFilter,	8_1_004123F1
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Users\user\Links\eygydoqJ.pif	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1

Source: C:\Users\user\Links\eygydoqJ.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + WP6RZJql8gZrNhVA9v.L3hoFlcqP6(15680)))

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\user\Links\eygydoqJ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Memory allocated: C:\Users\user\Links\eygydoqJ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Memory allocated: C:\Users\user\Links\eygydoqJ.pif base: 400000 protect: page execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\user\Links\eygydoqJ.pif base address: 400000	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section unmapped: C:\Users\user\Links\eygydoqJ.pif base address: 400000	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Section unmapped: C:\Users\user\Links\eygydoqJ.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\user\Links\eygydoqJ.pif base: 343008	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Memory written: C:\Users\user\Links\eygydoqJ.pif base: 235008	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Memory written: C:\Users\user\Links\eygydoqJ.pif base: 284008	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\INQ_NO_097590_0109_Order.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior
Source: C:\Users\user\Links\Jqodygye.PIF	Process created: C:\Users\user\Links\eygydoqJ.pif C:\\Users\\user\\Links\eygydoqJ.pif	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_02A554BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_02A5A0B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_02A5A104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_02A555C8
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_029A54BC
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: GetLocaleInfoA,	9_2_029AA104
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_029A55C7
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_02AA54BC
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: GetLocaleInfoA,	12_2_02AAA104
Source: C:\Users\user\Links\Jqodygye.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_02AA55C7

Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Links\eygydoqJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A58B38 GetLocalTime,

3_2_02A58B38

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A69F00 GetUserNameA,

3_2_02A69F00

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_02A5B038 GetVersionExA,

3_2_02A5B038

Source: C:\Users\user\Links\eygydoqJ.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Links\eygydoqJ.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Links\eygydoqJ.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Links\eygydoqJ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Links\eygydoqJ.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a086c66.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20535570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.22120000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb76c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f6c66.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de96478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cd40000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a085d5e.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20563190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f2f5d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1de95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a350000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5d3190.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1a500000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cb75d5e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.eygydoqJ.pif.185de898.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.eygydoqJ.pif.1afb7b10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eygydoqJ.pif.1b5a6478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.1f4e0f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eygydoqJ.pif.20536478.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1dec3190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.eygydoqJ.pif.1cc20f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2157856719.000000001DE91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2160908840.0000000022120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153882700.000000001F4E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2158981033.000000001B5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153491388.000000001A500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159042614.0000000020531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2153281830.000000001F2B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.916808373.000000001AFB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151615923.000000001CC20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1146685934.00000000185DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2151357570.000000001CB35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2151445487.000000001A045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152200513.000000001A350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152197129.000000001CD40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000D.00000002.2154018283.000000001A609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2152547309.000000001CEFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2154552207.000000001F599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eygydoqJ.pif PID: 3552, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	4 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INQ_NO_097590_0109_Order.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
INQ_NO_097590_0109_Order.cmd