Loading ...

Play interactive tourEdit tour

Analysis Report PO # 42199083 Rev.00.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:222863
Start date:15.04.2020
Start time:21:02:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:PO # 42199083 Rev.00.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@5/3@20/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 33.8% (good quality ratio 28.8%)
  • Quality average: 65.6%
  • Quality standard deviation: 35.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 210
  • Number of non-executed functions: 37
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 2.20.160.163
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Execution Graph export aborted for target PO # 42199083 Rev.00.exe, PID 1132 because there are no executed function
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLAccess Token Manipulation1Disabling Security Tools1Credential Dumping2Account Discovery1Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection111Deobfuscate/Decode Files or Information1Input Capture1Security Software Discovery121Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesSystem Information Discovery13Logon ScriptsInput Capture1Data EncryptedStandard Application Layer Protocol113SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion3Account ManipulationVirtualization/Sandbox Evasion3Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceProcess Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection111Two-Factor Authentication InterceptionSystem Owner/User Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: PO # 42199083 Rev.00.exe.4740.3.memstrMalware Configuration Extractor: Lokibot {"c2:": "https://secondpassglobal.com/wp-content/uploads/five/fre.php"}
Machine Learning detection for sampleShow sources
Source: PO # 42199083 Rev.00.exeJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49747 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49747 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49748 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49748 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 35.234.135.13:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 35.234.135.13:80
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 149Connection: close
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00404ED4 recv,3_2_00404ED4
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: secondpassglobal.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /wp-content/uploads/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secondpassglobal.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 25D6D33CContent-Length: 176Connection: close
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Apr 2020 19:04:07 GMTServer: ApacheX-Powered-By: PHP/5.6.40Upgrade: h2,h2cConnection: Upgrade, closeVary: User-AgentContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Urls found in memory or binary dataShow sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: PO # 42199083 Rev.00.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com5
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtq
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.781851582.0000000004EDE000.00000004.00000001.sdmp, PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.786641278.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.787139661.0000000004EBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.786613200.0000000004EA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD9
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.786613200.0000000004EA5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf9x
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.785352263.0000000004EDE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: PO # 42199083 Rev.00.exe, PO # 42199083 Rev.00.exe, 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790110299.0000000004EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.790684618.0000000004EAB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.781392502.0000000000F4B000.00000004.00000001.sdmp, PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.781392502.0000000000F4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comerm
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.781392502.0000000000F4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comibi
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.781392502.0000000000F4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.commbe
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.785352263.0000000004EDE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com?
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comD-
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.782456685.0000000000F4A000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.782456685.0000000000F4A000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net-c
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.784527600.0000000000F4D000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netnet-c
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.813480749.0000000005E86000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.788548712.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Noto
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://secondpassglobal.com/wp-content/uploads/five/fre.php
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://secondpassglobal.com/wp-content/uploads/five/fre.phpa
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js?hl=en

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.802210451.0000000000CD8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.808069469.0000000003C84000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.805686099.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
.NET source code contains very large stringsShow sources
Source: PO # 42199083 Rev.00.exe, ModernForms/ClassCore.csLong String: Length: 86015
Source: 0.2.PO # 42199083 Rev.00.exe.500000.0.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Source: 0.0.PO # 42199083 Rev.00.exe.500000.0.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Source: 2.2.PO # 42199083 Rev.00.exe.240000.0.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Source: 2.0.PO # 42199083 Rev.00.exe.240000.0.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Source: 3.2.PO # 42199083 Rev.00.exe.a30000.1.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Source: 3.0.PO # 42199083 Rev.00.exe.a30000.0.unpack, ModernForms/ClassCore.csLong String: Length: 86015
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0504073A NtQueryInformationProcess,0_2_0504073A
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_050408AA NtQuerySystemInformation,0_2_050408AA
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_05040718 NtQueryInformationProcess,0_2_05040718
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0504086F NtQuerySystemInformation,0_2_0504086F
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028012C80_2_028012C8
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028072E00_2_028072E0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02802A580_2_02802A58
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02800BD80_2_02800BD8
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280C4900_2_0280C490
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028000A80_2_028000A8
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02801C100_2_02801C10
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280A4400_2_0280A440
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280AC500_2_0280AC50
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028071200_2_02807120
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280B5780_2_0280B578
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02802E990_2_02802E99
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028012B80_2_028012B8
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028072D00_2_028072D0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028047910_2_02804791
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02804B910_2_02804B91
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02804BA00_2_02804BA0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028047A00_2_028047A0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280A3A00_2_0280A3A0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280DBC00_2_0280DBC0
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028017210_2_02801721
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028017300_2_02801730
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02800B300_2_02800B30
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280E3400_2_0280E340
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028000990_2_02800099
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_02801C010_2_02801C01
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280D1800_2_0280D180
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028049890_2_02804989
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028049980_2_02804998
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028099B60_2_028099B6
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028099EE0_2_028099EE
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028099150_2_02809915
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028071180_2_02807118
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280E5280_2_0280E528
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280755E0_2_0280755E
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280E1600_2_0280E160
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028075600_2_02807560
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028029710_2_02802971
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B39700_2_055B3970
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B40580_2_055B4058
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B6FC10_2_055B6FC1
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B26200_2_055B2620
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B39600_2_055B3960
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B2DFE0_2_055B2DFE
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B40480_2_055B4048
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B28790_2_055B2879
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B00700_2_055B0070
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B006B0_2_055B006B
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B6CD90_2_055B6CD9
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B44E80_2_055B44E8
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B28880_2_055B2888
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B57600_2_055B5760
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B2E400_2_055B2E40
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B26100_2_055B2610
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B52E10_2_055B52E1
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B72980_2_055B7298
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B4A880_2_055B4A88
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B728F0_2_055B728F
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_0040549C3_2_0040549C
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_004029D43_2_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: String function: 00405B6F appears 42 times
PE file contains strange resourcesShow sources
Source: PO # 42199083 Rev.00.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.801053543.0000000000588000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamejsNuLVwmXeEwePw.exeF vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.811276896.0000000005B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.806044788.0000000002D1A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.802210451.0000000000CD8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exe, 00000002.00000002.799558432.00000000002C8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamejsNuLVwmXeEwePw.exeF vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exe, 00000003.00000000.799992666.0000000000AB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamejsNuLVwmXeEwePw.exeF vs PO # 42199083 Rev.00.exe
Source: PO # 42199083 Rev.00.exeBinary or memory string: OriginalFilenamejsNuLVwmXeEwePw.exeF vs PO # 42199083 Rev.00.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000000.00000002.808069469.0000000003C84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.805686099.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Binary contains paths to development resourcesShow sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000003.787116230.0000000004EDE000.00000004.00000001.sdmpBinary or memory string: =MS Gothic is a trademark of the Microsoft group of companies.slnt4
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@20/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_050403EA AdjustTokenPrivileges,0_2_050403EA
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_050403B3 AdjustTokenPrivileges,0_2_050403B3
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,3_2_0040434D
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO # 42199083 Rev.00.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeMutant created: \Sessions\1\BaseNamedObjects\oDAjfNbPKceVEBaRbaZVxPG
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
PE file has an executable .text section and no other executable sectionShow sources
Source: PO # 42199083 Rev.00.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe 'C:\Users\user\Desktop\PO # 42199083 Rev.00.exe'
Source: unknownProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}
Source: unknownProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: PO # 42199083 Rev.00.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: PO # 42199083 Rev.00.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: PO # 42199083 Rev.00.exe, 00000000.00000002.806044788.0000000002D1A000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: PO # 42199083 Rev.00.exe, 00000000.00000002.811276896.0000000005B80000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000000.00000002.808069469.0000000003C84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.805686099.0000000002C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PO # 42199083 Rev.00.exe PID: 4488, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PO # 42199083 Rev.00.exe PID: 4740, type: MEMORY
Source: Yara matchFile source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_00538153 pushfd ; iretd 0_2_0053815B
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_00538641 push ecx; retf 0_2_0053865D
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_00535E69 push es; iretd 0_2_00535E71
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_005329FB pushfd ; retf 0_2_005329FC
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_0280BFB1 push ecx; ret 0_2_0280BFB5
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028084E7 push 06FFFFFFh; iretd 0_2_028084EC
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_028008E9 push esp; iretd 0_2_028008EA
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B3918 push ds; retn 0005h0_2_055B391A
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B2DFE push ss; retn 0005h0_2_055B2E32
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B7C32 pushad ; iretd 0_2_055B7C35
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B7C24 pushad ; iretd 0_2_055B7C2B
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B38D0 push ds; retn 0005h0_2_055B38D2
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B3881 push ds; retn 0005h0_2_055B3882
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B6353 push esp; ret 0_2_055B6357
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B7B6C push edx; iretd 0_2_055B7B6D
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 0_2_055B87D0 push ecx; ret 0_2_055B87D2
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 2_2_00275E69 push es; iretd 2_2_00275E71
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 2_2_00278641 push ecx; retf 2_2_0027865D
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 2_2_00278153 pushfd ; iretd 2_2_0027815B
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 2_2_002729FB pushfd ; retf 2_2_002729FC
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00A629FB pushfd ; retf 3_2_00A629FC
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00A68153 pushfd ; iretd 3_2_00A6815B
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00A65E69 push es; iretd 3_2_00A65E71
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00A68641 push ecx; retf 3_2_00A6865D

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: PO # 42199083 Rev.00.exe PID: 4488, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe TID: 5000Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe TID: 1152Thread sleep time: -180000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: vmware
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: PO # 42199083 Rev.00.exe, 00000000.00000002.805604553.0000000002C10000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: PO # 42199083 Rev.00.exe, 00000003.00000002.838743269.0000000001138000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess queried: DebugPortJump to behavior
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,3_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeMemory written: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe base: 400000 value starts with: 4D5AJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeProcess created: C:\Users\user\Desktop\PO # 42199083 Rev.00.exe {path}Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: 3_2_00406069 GetUserNameW,3_2_00406069
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000000.00000002.808069469.0000000003C84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.832314256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.805686099.0000000002C47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PO # 42199083 Rev.00.exe PID: 4488, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PO # 42199083 Rev.00.exe PID: 4740, type: MEMORY
Source: Yara matchFile source: 3.2.PO # 42199083 Rev.00.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.PO # 42199083 Rev.00.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: PopPassword3_2_0040D069
Source: C:\Users\user\Desktop\PO # 42199083 Rev.00.exeCode function: SmtpPassword3_2_0040D069

Malware Configuration

Threatname: Lokibot

{"c2:": "https://secondpassglobal.com/wp-content/uploads/five/fre.php"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 222863