Threat Feed
B3aJ4Xy4r8NMEO5v.dll
2026-05-21T18:24:23.278
malicious
Windows DLL (x86-64)
Close
B3aJ4Xy4r8NMEO5v.dll
malicious
SHA256:
a7bcc4c05c6daed81119827edaa4a5dc1cafc1b6a139bc6659fdd010027c72cb
VMRay Threat Identifiers
Close
Severity
Operation
4/5
Writes into the memory of another process
4/5
Modifies control flow of another process
3/5
All network connection attempts failed
2/5
Delays execution
2/5
Tries to detect analyzer sandbox
1/5
Drops PE file
1/5
Enumerates running processes
1/5
Creates a page with write and execute permissions
1/5
Creates mutex
1/5
Enables process privileges
1/5
Connects to remote host
1/5
Resolves API functions dynamically
Injector
http://49.51.43.12/v3/signin/identifier?flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AWa2PaseBx8XOuDUoQtSSGcbmhPBF8qZZf7ngC6t6Lap01u5jBT8SP7hK1p1AQTmjV22pADbGnRiVg&dsh=S-1811013456%3A1779386909679569
2026-05-21T18:22:32.660
malicious
URL
Close
http://49.51.43.12/v3/signin/identifier?flowName=GlifWebSignIn&flowEntry=ServiceLogin&ifkv=AWa2PaseBx8XOuDUoQtSSGcbmhPBF8qZZf7ngC6t6Lap01u5jBT8SP7hK1p1AQTmjV22pADbGnRiVg&dsh=S-1811013456%3A1779386909679569
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Phishing page detected via Machine Learning
2/5
Page uses exact same title as that of a popular online service
2/5
Branded Logon form detected via Computer Vision
1/5
Content matched by YARA rules
1/5
HTTPS page insecurely loads resources via HTTP
1/5
Branding image detected via Computer Vision
1/5
Page presents itself as a logon page
Phishing
PO_CW00402902400438.exe
2026-05-21T18:01:58.688
malicious
Windows Exe (x86-32)
Close
PO_CW00402902400438.exe
malicious
SHA256:
96a414f408bf9ccc9b692b2dc5a4faa115e752edecdd5f2292c3135eee522b93
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
5/5
Tries to read cached credentials of various applications
5/5
VIPKeylogger configuration was extracted
4/5
Malicious content matched by YARA rules
4/5
Process Hollowing
3/5
Sends data via a Telegram bot
2/5
Connects to SMTP server
2/5
Searches for sensitive browser data
2/5
Searches for sensitive application data
2/5
Searches for sensitive mail data
2/5
Suspicious content matched by YARA rules
2/5
Modifies control flow of a process started from a created or modified executable
2/5
Reads sensitive mail data
1/5
Checks external IP address
1/5
Content matched by YARA rules
1/5
Creates a page with write and execute permissions
1/5
Possibly does reconnaissance
1/5
Query OS Information
1/5
Enumerates running processes
1/5
Creates process with hidden window
1/5
Enables process privileges
1/5
Connects to remote host
1/5
Performs DNS request
1/5
Reads from memory of another process
Spyware
Injector
Quotation List Pdf.exe
2026-05-21T18:00:22.390
malicious
Windows Exe (x86-64)
Close
Quotation List Pdf.exe
malicious
SHA256:
7eaa347573db3f24316a9ab2d30256db4d35105c7d93f9dbf8d860ec99949280
VMRay Threat Identifiers
Close
Severity
Operation
5/5
FormBook configuration was extracted
5/5
Malicious content matched by YARA rules
4/5
Modifies control flow of another process
4/5
Makes indirect system call to possibly evade hooking based monitoring
4/5
Process Hollowing
4/5
Writes into the memory of another process
3/5
All network connection attempts failed
3/5
Captures clipboard data
2/5
Delays execution
2/5
Tries to detect kernel debugger
1/5
Content matched by YARA rules
1/5
Creates process with hidden window
1/5
Tries to detect debugger
1/5
Enumerates running processes
1/5
Creates mutex
1/5
Reads from memory of another process
1/5
Creates a page with write and execute permissions
1/5
Installs system startup script or application
1/5
Performs DNS request
1/5
Unusual large memory allocation
Spyware
Injector
New Ordergpj.exe
2026-05-21T17:58:03.563
malicious
Windows Exe (x86-32)
Close
New Ordergpj.exe
malicious
SHA256:
ce3640188892598ea084f6e762ba66f0f364cad587ef4d5cc3287073604b4d70
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Makes indirect system calls to hide process injection
5/5
Malicious content matched by YARA rules
5/5
FormBook configuration was extracted
5/5
Adds a hook to a web browser
4/5
Masks file extension
4/5
Process Hollowing
4/5
Writes into the memory of another process
4/5
Modifies control flow of another process
4/5
Makes indirect system call to possibly evade hooking based monitoring
3/5
Obscures a file's origin
3/5
Modifies native system functions
2/5
Modifies control flow of a process started from a created or modified executable
2/5
Delays execution
2/5
Tries to detect kernel debugger
2/5
Deletes file after execution
1/5
Reads from memory of another process
1/5
Overwrites code
1/5
Creates process with hidden window
1/5
Enumerates running processes
1/5
Creates a page with write and execute permissions
1/5
Creates mutex
1/5
Tries to detect debugger
1/5
Query OS Information
1/5
Enables process privileges
1/5
Performs DNS request
1/5
Connects to remote host
1/5
URL contains a TLD highly associated with phishing
Spyware
Trojan
Injector