Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI#53034601506400.exe

Overview

General Information

Sample Name:PI#53034601506400.exe
Analysis ID:708241
MD5:05d1649e1b980b3d59b189a2fe07fc3c
SHA1:9227eb122ce621fa3f7375c4a0ac4becd45b82c0
SHA256:66f1a748e30aaa66b2053848270d68f5dc3ec9ccd4b9a5dbaa6a6dfd3139490c
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PI#53034601506400.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\PI#53034601506400.exe" MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
    • PI#53034601506400.exe (PID: 2312 cmdline: C:\Users\user\Desktop\PI#53034601506400.exe MD5: 05D1649E1B980B3D59B189A2FE07FC3C)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x7f8d4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PI#53034601506400.exe.2575394.3.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
            • 0x2d563:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
            0.2.PI#53034601506400.exe.38976c0.9.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x13278:$s1: http://
            • 0x16233:$s1: http://
            • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
            • 0x13280:$s2: https://
            • 0x13278:$f1: http://
            • 0x16233:$f1: http://
            • 0x13280:$f2: https://
            0.2.PI#53034601506400.exe.38976c0.9.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
              • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
              0.2.PI#53034601506400.exe.38976c0.9.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
              • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
              Click to see the 73 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.5162.0.223.1349699802024317 09/23/22-07:58:29.454711
              SID:2024317
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024313 09/23/22-07:58:37.371596
              SID:2024313
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802021641 09/23/22-07:58:37.371596
              SID:2021641
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802021641 09/23/22-07:58:29.454711
              SID:2021641
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349699802024312 09/23/22-07:58:29.454711
              SID:2024312
              Source Port:49699
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349701802024318 09/23/22-07:58:37.371596
              SID:2024318
              Source Port:49701
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024312 09/23/22-07:58:35.112918
              SID:2024312
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802021641 09/23/22-07:58:35.112918
              SID:2021641
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5162.0.223.1349700802024317 09/23/22-07:58:35.112918
              SID:2024317
              Source Port:49700
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i"]}
              Source: PI#53034601506400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PI#53034601506400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49699 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49700 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49701 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49701 -> 162.0.223.13:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49701 -> 162.0.223.13:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Malware configuration extractorURLs: http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i
              Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
              Source: Joe Sandbox ViewIP Address: 162.0.223.13 162.0.223.13
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 165Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: unknownTCP traffic detected without corresponding DNS query: 162.0.223.13
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://centos.org
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://httpd.apache.org/
              Source: PI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.centos.org/
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: PI#53034601506400.exe, 00000000.00000003.312172741.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/pe.
              Source: PI#53034601506400.exe, 00000000.00000003.312213384.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.312084396.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/pe.M
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita5
              Source: PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnGg
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
              Source: PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnion
              Source: PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cno_
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0m
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
              Source: PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
              Source: PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310333869.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
              Source: PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com7
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deu4
              Source: PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: unknownHTTP traffic detected: POST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 162.0.223.13Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9AC780C0Content-Length: 192Connection: close
              Source: PI#53034601506400.exe, 00000000.00000002.326448349.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.PI#53034601506400.exe.2575394.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
              Source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
              Source: PI#53034601506400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.PI#53034601506400.exe.2575394.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
              Source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\PI#53034601506400.exeCode function: 0_2_0077E1B8
              Source: C:\Users\user\Desktop\PI#53034601506400.exeCode function: 0_2_0077CD27
              Source: PI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.342062577.0000000003736000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.345925221.0000000007510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000000.300607103.0000000000176000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevPnb.exeD vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.326448349.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.345898074.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.344112204.0000000005A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs PI#53034601506400.exe
              Source: PI#53034601506400.exe, 00000000.00000002.330109817.00000000025C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs PI#53034601506400.exe
              Source: PI#53034601506400.exeBinary or memory string: OriginalFilenamevPnb.exeD vs PI#53034601506400.exe
              Source: PI#53034601506400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile read: C:\Users\user\Desktop\PI#53034601506400.exe:Zone.IdentifierJump to behavior
              Source: PI#53034601506400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\PI#53034601506400.exe "C:\Users\user\Desktop\PI#53034601506400.exe"
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exe
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exe
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#53034601506400.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
              Source: PI#53034601506400.exe, 00000001.00000003.324932752.0000000000D57000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: PI#53034601506400.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\PI#53034601506400.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: PI#53034601506400.exe, 00000000.00000003.313997229.0000000005A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: is a registered trademark of Bigelow & Holmes Inc.slnt
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
              Source: PI#53034601506400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PI#53034601506400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: PI#53034601506400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

              Data Obfuscation

              barindex
              Yara detected aPLib compressed binary
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTR
              .NET source code contains potential unpacker
              Source: PI#53034601506400.exe, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.PI#53034601506400.exe.a0000.0.unpack, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: PI#53034601506400.exeStatic PE information: 0x92744BED [Mon Nov 11 14:25:49 2047 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 6.8711614725083345
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess information set: NOGPFAULTERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -240000s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239871s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239766s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239639s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239532s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239391s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239281s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -239164s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238958s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238797s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238619s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238500s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238359s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238218s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -238106s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237991s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237842s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237688s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237561s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237427s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237297s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -237116s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236984s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236841s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236688s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236537s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236391s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236249s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236141s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -236000s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235887s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235766s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235641s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235513s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235391s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235250s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235138s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -235028s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234905s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234777s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234657s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234530s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234418s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234281s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234172s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -234063s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233953s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233844s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233688s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6068Thread sleep time: -41226s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 6120Thread sleep time: -233547s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exe TID: 5040Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\PI#53034601506400.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 240000
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239871
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239766
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239639
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239532
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239281
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239164
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238958
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238797
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238619
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238500
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238359
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238218
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238106
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237991
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237842
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237561
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237427
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237297
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237116
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236984
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236841
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236537
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236249
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236141
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236000
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235887
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235766
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235641
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235513
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235250
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235138
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235028
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234905
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234777
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234657
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234530
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234418
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234281
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234172
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234063
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233953
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233844
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233547
              Source: C:\Users\user\Desktop\PI#53034601506400.exeWindow / User API: threadDelayed 9142
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 240000
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239871
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239766
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239639
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239532
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239281
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 239164
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238958
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238797
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238619
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238500
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238359
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238218
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 238106
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237991
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237842
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237561
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237427
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237297
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 237116
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236984
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236841
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236537
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236249
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236141
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 236000
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235887
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235766
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235641
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235513
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235391
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235250
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235138
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 235028
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234905
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234777
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234657
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234530
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234418
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234281
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234172
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 234063
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233953
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233844
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233688
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 41226
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 233547
              Source: C:\Users\user\Desktop\PI#53034601506400.exeThread delayed: delay time: 60000
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\TSOFTWARE\Oracle\VirtualBox Guest AdditionsNSYSTEM\ControlSet001\Services\Disk\Enum
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\PI#53034601506400.exeMemory written: C:\Users\user\Desktop\PI#53034601506400.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\PI#53034601506400.exeProcess created: C:\Users\user\Desktop\PI#53034601506400.exe C:\Users\user\Desktop\PI#53034601506400.exe
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Users\user\Desktop\PI#53034601506400.exe VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected Lokibot
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 5988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PI#53034601506400.exe PID: 2312, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
              Source: C:\Users\user\Desktop\PI#53034601506400.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\PI#53034601506400.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.36e9f68.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.38976c0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.PI#53034601506400.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2575394.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2569148.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3633990.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.2561efc.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PI#53034601506400.exe.3525928.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath Interception111
              Process Injection              		1
              Masquerading              		2
              OS Credential Dumping              		111
              Security Software Discovery              		Remote Services1
              Email Collection              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		1
              Input Capture              		31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth1
              Non-Application Layer Protocol              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		1
              Credentials in Registry              		1
              Application Window Discovery              		SMB/Windows Admin Shares1
              Archive Collected Data              		Automated Exfiltration111
              Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
              Process Injection              		NTDS13
              System Information Discovery              		Distributed Component Object Model2
              Data from Local System              		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common12
              Software Packing              		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Timestomp              		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PI#53034601506400.exe10%ReversingLabsByteCode-MSIL.Packed.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.0.PI#53034601506400.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.PI#53034601506400.exe.3525928.5.unpack100%AviraHEUR/AGEN.1244307Download File
              0.2.PI#53034601506400.exe.38976c0.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cnQ0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://www.founder.com.cn/cnU0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/:0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cnGg0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
              http://www.sajatypeworks.com70%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Y0m0%Avira URL Cloudsafe
              http://www.urwpp.deu40%Avira URL Cloudsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.founder.com.cn/cnion0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
              http://www.founder.com.cn/cno_0%Avira URL Cloudsafe
              http://www.fontbureau.comgrita50%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cnQPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.ibsensoftware.com/PI#53034601506400.exe, 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.com7PI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnUPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/:PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comPI#53034601506400.exe, 00000000.00000003.306344407.0000000005A4C000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.306358549.0000000005A4D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deu4PI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fontfabrik.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/5PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp//PI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0mPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/pe.MPI#53034601506400.exe, 00000000.00000003.312213384.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.312084396.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fonts.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleasePI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.dePI#53034601506400.exe, 00000000.00000003.311913695.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePI#53034601506400.exe, 00000000.00000002.328171471.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sakkal.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://centos.orgPI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://apache.orgPI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/IPI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnGgPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comlPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.centos.org/PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnionPI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnPI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308277205.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308234434.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlPI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/rPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310333869.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://httpd.apache.org/PI#53034601506400.exe, 00000001.00000002.352185413.0000000002F87000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/pe.PI#53034601506400.exe, 00000000.00000003.312172741.0000000005A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cno_PI#53034601506400.exe, 00000000.00000003.308708832.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308753663.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.308640910.0000000005A50000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.commPI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comgrita5PI#53034601506400.exe, 00000000.00000003.325770393.0000000005A4B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8PI#53034601506400.exe, 00000000.00000002.344357322.0000000006C52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/dPI#53034601506400.exe, 00000000.00000003.310562802.0000000005A43000.00000004.00000800.00020000.00000000.sdmp, PI#53034601506400.exe, 00000000.00000003.310914397.0000000005A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.0.223.13
                                                		unknownCanada
                                                		35893ACPCAtrue

                                                General Information

                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                Analysis ID:708241
                                                Start date and time:2022-09-23 07:57:19 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 5m 35s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:PI#53034601506400.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:2
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/3@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Stop behavior analysis, all processes terminated

                                                Warnings

                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                07:58:29API Interceptor77x Sleep call for process: PI#53034601506400.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI#53034601506400.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1394
                                                Entropy (8bit):5.340883346054895
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84F0:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhAR
                                                MD5:B51A52A837298BCF7A6EB58551AEF99C
                                                SHA1:61EEFCC20AC255B8651769E5C48E27B2A983FC4A
                                                SHA-256:1D393FBB3CE754EA699462C2778587A7F2451EB23BE2BD5084C95A46B20BE8AF
                                                SHA-512:138544399787651C847837719606197E539857206CCB271E0F4A86E2017FBADABADF5A235B6F6F1DA8ADE7EF29DBA3115CD1996AD01F92CA30C57D0BF217C11C
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

                                                C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1

                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                Download File
                                                Process:C:\Users\user\Desktop\PI#53034601506400.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):47
                                                Entropy (8bit):1.168829563685559
                                                Encrypted:false
                                                SSDEEP:3:/lSll2DQi:AoMi
                                                MD5:DAB633BEBCCE13575989DCFA4E2203D6
                                                SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                                                SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                                                SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:........................................user.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.864314970810788
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:PI#53034601506400.exe
                                                File size:864768
                                                MD5:05d1649e1b980b3d59b189a2fe07fc3c
                                                SHA1:9227eb122ce621fa3f7375c4a0ac4becd45b82c0
                                                SHA256:66f1a748e30aaa66b2053848270d68f5dc3ec9ccd4b9a5dbaa6a6dfd3139490c
                                                SHA512:416a319477478c75af755e598451a7a71753ff6d956f327fe08d5d207f455e5e4f1717a008af6eb441a1d083c47b1f185576ee8bcff860162553ce237253a5d2
                                                SSDEEP:24576:8hLuyygLvA4Bk+3F4LneWDL23YmEJxvNT:oLuyygLvA4i+36SA2IZ/V
                                                TLSH:8405D0371AEA4B0BD12873B491E1C6F593B99D12E066C3876FC57C9FB0677208B21762
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kt...............0..*...........I... ...`....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4d49fa
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x92744BED [Mon Nov 11 14:25:49 2047 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd49a80x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x3e8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xd498c0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xd2a000xd2a00False0.7079770956973294data6.8711614725083345IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xd60000x3e80x400False0.408203125data3.1405939185942064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xd80000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xd60580x38cPGP symmetric key encrypted data - Plaintext or unencrypted data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.5162.0.223.1349699802024317 09/23/22-07:58:29.454711TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802024313 09/23/22-07:58:37.371596TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802021641 09/23/22-07:58:37.371596TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349699802021641 09/23/22-07:58:29.454711TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349699802024312 09/23/22-07:58:29.454711TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969980192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349701802024318 09/23/22-07:58:37.371596TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970180192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802024312 09/23/22-07:58:35.112918TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14970080192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802021641 09/23/22-07:58:35.112918TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970080192.168.2.5162.0.223.13
                                                192.168.2.5162.0.223.1349700802024317 09/23/22-07:58:35.112918TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24970080192.168.2.5162.0.223.13

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 23, 2022 07:58:29.179511070 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.359904051 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:29.360583067 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.454710960 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.634676933 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:29.635971069 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:29.816203117 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407465935 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407499075 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407515049 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407531977 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407542944 CEST8049699162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:30.407654047 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:30.407746077 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:30.413930893 CEST4969980192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:34.932647943 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.109270096 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:35.109378099 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.112917900 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.289486885 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:35.289758921 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:35.466195107 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030708075 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030744076 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030761003 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030777931 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030790091 CEST8049700162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:36.030867100 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:36.030981064 CEST4970080192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.182208061 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.359723091 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:37.363136053 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.371596098 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.549609900 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:37.549799919 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:37.726494074 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275764942 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275799990 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275816917 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275834084 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275845051 CEST8049701162.0.223.13192.168.2.5
                                                Sep 23, 2022 07:58:38.275921106 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:38.276007891 CEST4970180192.168.2.5162.0.223.13
                                                Sep 23, 2022 07:58:38.276607037 CEST4970180192.168.2.5162.0.223.13

                                                HTTP Request Dependency Graph

                                                • 162.0.223.13

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.549699162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:29.454710960 CEST93OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 192
                                                Connection: close
                                                Sep 23, 2022 07:58:30.407465935 CEST95INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:29 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.549700162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:35.112917900 CEST100OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 192
                                                Connection: close
                                                Sep 23, 2022 07:58:36.030708075 CEST102INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:35 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.549701162.0.223.1380C:\Users\user\Desktop\PI#53034601506400.exe
                                                TimestampkBytes transferredDirectionData
                                                Sep 23, 2022 07:58:37.371596098 CEST106OUTPOST /?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i HTTP/1.0
                                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                Host: 162.0.223.13
                                                Accept: */*
                                                Content-Type: application/octet-stream
                                                Content-Encoding: binary
                                                Content-Key: 9AC780C0
                                                Content-Length: 165
                                                Connection: close
                                                Sep 23, 2022 07:58:38.275764942 CEST108INHTTP/1.1 200 OK
                                                Date: Fri, 23 Sep 2022 05:58:37 GMT
                                                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
                                                X-Powered-By: PHP/5.4.16
                                                Content-Length: 5017
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 41 70 61 63 68 65 20 48 54 54 50 20 53 65 72 76 65 72 20 54 65 73 74 20 50 61 67 65 20 70 6f 77 65 72 65 64 20 62 79 20 43 65 6e 74 4f 53 3c 2f 74 69 74 6c 65 3e 0d 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 42 6f 6f 74 73 74 72 61 70 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 6e 6f 69 6e 64 65 78 2f 63 73 73 2f 6f 70 65 6e 2d 73 61 6e 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 09 09 20 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 31 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 61 28 31 30 2c 20 32 34 2c 20 35 35 2c 20 31 29 3b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 7d 0d 0a 0d 0a 68 32 2c 20 68 33 2c 20 68 34 20 7b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0d 0a 7d 0d 0a 0d 0a 68 32 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 7b 0d 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 32 31 32 2c 32 31 32 2c 32 32 31 29 3b 20 2f 2a 20 4f 6c 64 20 62 72 6f 77 73 65 72 73 20 2a 2f 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 61 64 69 61 6c 2d 67 72 61 64 69 65 6e 74 28 65 6c 6c 69 70 73 65 20 61 74 20 63 65 6e 74 65 72 20 74 6f 70 2c 20 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 31 29 20 30 25 2c 72 67 62 61 28 31 37 34 2c 31 37 34 2c 31 38 33 2c 31 29 20 31 30 30 25 29 3b 20 2f 2a 20 57 33 43 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2e 6a 75 6d 62 6f 74 72 6f 6e 20 68 31 20 7b 0d 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 38 70 78 3b 0d 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0d 0a 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 32 70 78 20 30 70 78 20 23 61 62 63 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Apache HTTP Server Test Page powered by CentOS</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ... Bootstrap --> <link href="/noindex/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" /><style type="text/css">... body { font-family: "Open Sans", Helvetica, sans-serif; font-weight: 100; color: #ccc; background: rgba(10, 24, 55, 1); font-size: 16px;}h2, h3, h4 { font-weight: 200;}h2 { font-size: 28px;}.jumbotron { margin-bottom: 0; color: #333; background: rgb(212,212,221); /* Old browsers */ background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */}.jumbotron h1 { font-size: 128px; font-weight: 700; color: white; text-shadow: 0px 2px 0px #abc,


                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:07:58:27
                                                Start date:23/09/2022
                                                Path:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\PI#53034601506400.exe"
                                                Imagebase:0xa0000
                                                File size:864768 bytes
                                                MD5 hash:05D1649E1B980B3D59B189A2FE07FC3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.328500909.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.343096170.0000000003897000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.340586638.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:1
                                                Start time:07:58:37
                                                Start date:23/09/2022
                                                Path:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\PI#53034601506400.exe
                                                Imagebase:0x820000
                                                File size:864768 bytes
                                                MD5 hash:05D1649E1B980B3D59B189A2FE07FC3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000000.323196487.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000000.322806512.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low

                                                Disassembly

                                                No disassembly