Windows Analysis Report
ypdTgfE0o8

AV Detection

Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "45.133.1.20/oluwa/five/fre.php"]}

Source: ypdTgfE0o8.exe	Virustotal: Detection: 41%			Perma Link
Source: ypdTgfE0o8.exe	ReversingLabs: Detection: 47%

Source: http://45.133.1.20/oluwa/five/fre.php	Avira URL Cloud: Label: malware
Source: 45.133.1.20/oluwa/five/fre.php	Avira URL Cloud: Label: malware

Source: http://45.133.1.20/oluwa/five/fre.php	Virustotal: Detection: 16%			Perma Link
Source: 45.133.1.20/oluwa/five/fre.php	Virustotal: Detection: 16%			Perma Link

Source: ypdTgfE0o8.exe

Joe Sandbox ML: detected

Compliance

Source: ypdTgfE0o8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: ypdTgfE0o8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405C13
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,		0_2_0040683D
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040290B FindFirstFileW,		0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,		2_2_00403D74

Networking

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 45.133.1.20/oluwa/five/fre.php

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: Joe Sandbox View

IP Address: 45.133.1.20 45.133.1.20

Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20

Source: ypdTgfE0o8.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cbgsujmwws.exe, cbgsujmwws.exe, 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cbgsujmwws.exe, 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00404ED4 recv,

2_2_00404ED4

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

System Summary

Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Source: ypdTgfE0o8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00406BFE		0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0A48		1_2_009E0A48
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040549C		2_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_004029D4		2_2_004029D4

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: String function: 00405B6F appears 42 times

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe F340BF91627787A2770C897AA9555BB82382CDCC2232904B5707238AB0A85E39

Source: ypdTgfE0o8.exe	Virustotal: Detection: 41%
Source: ypdTgfE0o8.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File read: C:\Users\user\Desktop\ypdTgfE0o8.exe

Jump to behavior

Source: ypdTgfE0o8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ypdTgfE0o8.exe "C:\Users\user\Desktop\ypdTgfE0o8.exe"
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny			Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,		2_2_0040650A

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File created: C:\Users\user\AppData\Local\Temp\nsf8A25.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@0/1

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: ypdTgfE0o8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 492, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AFC

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	File created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe TID: 3384

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405C13
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,		0_2_0040683D
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040290B FindFirstFileW,		0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,		2_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

API call chain: ExitProcess graph end node

Source: cbgsujmwws.exe, 00000002.00000002.633258341.00000000006B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,

2_2_00402B7C

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E03F8 mov eax, dword ptr fs:[00000030h]		1_2_009E03F8
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E061D mov eax, dword ptr fs:[00000030h]		1_2_009E061D
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0736 mov eax, dword ptr fs:[00000030h]		1_2_009E0736
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E06F7 mov eax, dword ptr fs:[00000030h]		1_2_009E06F7
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0772 mov eax, dword ptr fs:[00000030h]		1_2_009E0772
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]		2_2_0040317B

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Memory written: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00406069 GetUserNameW,

2_2_00406069

Stealing of Sensitive Information

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 492, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: SmtpPassword		2_2_0040D069

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY