Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-07-19 16:59:18 2020-07-19 17:04:22 304 seconds Show Options Show Log
route = tor
2020-05-13 09:09:22,696 [root] INFO: Date set to: 20200719T16:45:14, timeout set to: 200
2020-07-19 16:45:14,031 [root] DEBUG: Starting analyzer from: C:\tmp2ylp3rhi
2020-07-19 16:45:14,031 [root] DEBUG: Storing results at: C:\lZwNzxI
2020-07-19 16:45:14,031 [root] DEBUG: Pipe server name: \\.\PIPE\soMdsCGIeF
2020-07-19 16:45:14,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-07-19 16:45:14,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-07-19 16:45:14,046 [root] INFO: Automatically selected analysis package "exe"
2020-07-19 16:45:14,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-07-19 16:45:14,046 [root] DEBUG: Imported analysis package "exe".
2020-07-19 16:45:14,046 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-07-19 16:45:14,046 [root] DEBUG: Initialized analysis package "exe".
2020-07-19 16:45:14,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-07-19 16:45:14,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-07-19 16:45:14,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-07-19 16:45:14,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-07-19 16:45:14,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-07-19 16:45:14,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-07-19 16:45:14,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-07-19 16:45:14,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-07-19 16:45:14,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-07-19 16:45:14,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-07-19 16:45:14,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-07-19 16:45:14,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-07-19 16:45:14,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-07-19 16:45:14,156 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-07-19 16:45:14,156 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-07-19 16:45:14,156 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-07-19 16:45:14,156 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-07-19 16:45:14,156 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-07-19 16:45:14,171 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-07-19 16:45:14,171 [lib.api.screenshot] DEBUG: Importing 'math'
2020-07-19 16:45:14,171 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-07-19 16:45:14,500 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-07-19 16:45:14,546 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-07-19 16:45:14,578 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-07-19 16:45:14,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-07-19 16:45:14,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-07-19 16:45:14,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-07-19 16:45:14,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-07-19 16:45:14,593 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-07-19 16:45:14,593 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-07-19 16:45:14,593 [root] DEBUG: Initialized auxiliary module "Browser".
2020-07-19 16:45:14,609 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-07-19 16:45:14,609 [root] DEBUG: Started auxiliary module Browser
2020-07-19 16:45:14,609 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-07-19 16:45:14,609 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-07-19 16:45:14,609 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-07-19 16:45:14,609 [root] DEBUG: Started auxiliary module Curtain
2020-07-19 16:45:14,625 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-07-19 16:45:14,625 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-07-19 16:45:14,625 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-07-19 16:45:14,625 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-07-19 16:45:15,593 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-07-19 16:45:15,593 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-07-19 16:45:15,609 [root] DEBUG: Started auxiliary module DigiSig
2020-07-19 16:45:15,609 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-07-19 16:45:15,609 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-07-19 16:45:15,609 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-07-19 16:45:15,640 [root] DEBUG: Started auxiliary module Disguise
2020-07-19 16:45:15,640 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-07-19 16:45:15,640 [root] DEBUG: Initialized auxiliary module "Human".
2020-07-19 16:45:15,640 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-07-19 16:45:15,656 [root] DEBUG: Started auxiliary module Human
2020-07-19 16:45:15,656 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-07-19 16:45:15,656 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-07-19 16:45:15,656 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-07-19 16:45:15,718 [root] DEBUG: Started auxiliary module Procmon
2020-07-19 16:45:15,718 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-07-19 16:45:15,718 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-07-19 16:45:15,718 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-07-19 16:45:15,718 [root] DEBUG: Started auxiliary module Screenshots
2020-07-19 16:45:15,718 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-07-19 16:45:15,718 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-07-19 16:45:15,718 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-07-19 16:45:15,734 [root] DEBUG: Started auxiliary module Sysmon
2020-07-19 16:45:15,734 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-07-19 16:45:15,734 [root] DEBUG: Initialized auxiliary module "Usage".
2020-07-19 16:45:15,734 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-07-19 16:45:15,734 [root] DEBUG: Started auxiliary module Usage
2020-07-19 16:45:15,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-07-19 16:45:15,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-07-19 16:45:15,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-07-19 16:45:15,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-07-19 16:45:16,140 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\flokibot_0.0.0.12.vir" with arguments "" with pid 4544
2020-07-19 16:45:16,140 [lib.api.process] INFO: Monitor config for process 4544: C:\tmp2ylp3rhi\dll\4544.ini
2020-07-19 16:45:16,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ylp3rhi\dll\LTfUij.dll, loader C:\tmp2ylp3rhi\bin\GeDNWmP.exe
2020-07-19 16:45:16,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\soMdsCGIeF.
2020-07-19 16:45:16,249 [root] DEBUG: Loader: Injecting process 4544 (thread 4320) with C:\tmp2ylp3rhi\dll\LTfUij.dll.
2020-07-19 16:45:16,249 [root] DEBUG: Process image base: 0x00400000
2020-07-19 16:45:16,249 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ylp3rhi\dll\LTfUij.dll.
2020-07-19 16:45:16,249 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-07-19 16:45:16,249 [root] DEBUG: Successfully injected DLL C:\tmp2ylp3rhi\dll\LTfUij.dll.
2020-07-19 16:45:16,265 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4544
2020-07-19 16:45:18,375 [lib.api.process] INFO: Successfully resumed process with pid 4544
2020-07-19 16:45:18,515 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-07-19 16:45:18,531 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-19 16:45:18,531 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-07-19 16:45:18,531 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4544 at 0x6ac70000, image base 0x400000, stack from 0x126000-0x130000
2020-07-19 16:45:18,546 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\flokibot_0.0.0.12.vir".
2020-07-19 16:45:18,593 [root] INFO: Loaded monitor into process with pid 4544
2020-07-19 16:45:18,593 [root] INFO: Disabling sleep skipping.
2020-07-19 16:45:18,593 [root] INFO: Disabling sleep skipping.
2020-07-19 16:45:18,593 [root] INFO: Disabling sleep skipping.
2020-07-19 16:45:18,671 [root] DEBUG: api-rate-cap: FindNextFileW hook disabled.
2020-07-19 16:45:18,781 [root] DEBUG: DLL loaded at 0x76940000: C:\Windows\system32\wininet (0x1c4000 bytes).
2020-07-19 16:45:18,781 [root] DEBUG: DLL loaded at 0x755E0000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-07-19 16:45:18,781 [root] DEBUG: DLL loaded at 0x755D0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-07-19 16:45:18,796 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-07-19 16:45:18,796 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\version (0x9000 bytes).
2020-07-19 16:45:18,796 [root] DEBUG: DLL loaded at 0x755C0000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-07-19 16:45:18,796 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-07-19 16:45:18,796 [root] DEBUG: DLL loaded at 0x76B10000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-07-19 16:45:18,812 [root] DEBUG: DLL loaded at 0x75550000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-07-19 16:45:18,890 [root] DEBUG: DLL loaded at 0x77410000: C:\Windows\system32\ws2_32 (0x35000 bytes).
2020-07-19 16:45:18,890 [root] DEBUG: DLL loaded at 0x77400000: C:\Windows\system32\NSI (0x6000 bytes).
2020-07-19 16:45:18,968 [root] DEBUG: DLL loaded at 0x75640000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-07-19 16:45:19,062 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\secur32 (0x8000 bytes).
2020-07-19 16:45:19,078 [root] DEBUG: DLL loaded at 0x75400000: C:\Windows\system32\crypt32 (0x122000 bytes).
2020-07-19 16:45:19,078 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-07-19 16:45:19,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc and local view 0x02B20000 to global list.
2020-07-19 16:45:19,234 [root] INFO: Sample attempted to remap module 'C:\Windows\System32\ntdll.dll' at 0x02B20000, returning original module address instead: 0x772A0000
2020-07-19 16:48:38,625 [root] INFO: Analysis timeout hit, terminating analysis.
2020-07-19 16:48:38,625 [lib.api.process] ERROR: Failed to open terminate event for pid 4544
2020-07-19 16:48:38,625 [root] INFO: Terminate event set for process 4544.
2020-07-19 16:48:38,625 [root] INFO: Created shutdown mutex.
2020-07-19 16:48:39,625 [root] INFO: Shutting down package.
2020-07-19 16:48:39,625 [root] INFO: Stopping auxiliary modules.
2020-07-19 16:48:39,734 [lib.common.results] WARNING: File C:\lZwNzxI\bin\procmon.xml doesn't exist anymore
2020-07-19 16:48:39,734 [root] INFO: Finishing auxiliary modules.
2020-07-19 16:48:39,734 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-07-19 16:48:39,734 [root] WARNING: Folder at path "C:\lZwNzxI\debugger" does not exist, skip.
2020-07-19 16:48:39,734 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-07-19 16:59:18 2020-07-19 17:04:22

File Details

File Name flokibot_0.0.0.12.vir
File Size 238080 bytes
File Type MS-DOS executable
PE timestamp 2016-10-05 10:19:18
MD5 5649e7a200df2fb85ad1fb5a723bef22
SHA1 b057d20122048001850afeca671fd31dbcdd1c76
SHA256 5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e
SHA512 9bb3fb0410d4b8ae36e9bcc8dc75de5369c0de765dfaa3e5a2f451df5b162ad65166012f6d504cb9400fb9b66bb6a52eebac329496d402920bc67d16e047cbc5
CRC32 C6EB866E
Ssdeep 6144:3Kk3o2044/KBDyoEUkJlZth4hbNcfCz4j2DNHaFC1C+R:ak3+S9vkv74bYeDRaFwC+
Yara
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode - Author: kevoreilly
Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: ntdll.dll/NtOpenProcess
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/NtQueryDirectoryFile
DynamicLoader: ntdll.dll/RtlCompressBuffer
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: ntdll.dll/RtlDeleteCriticalSection
DynamicLoader: ntdll.dll/LdrLoadDll
DynamicLoader: ntdll.dll/NtAlertResumeThread
DynamicLoader: ntdll.dll/RtlCreateHeap
DynamicLoader: ntdll.dll/RtlGetCompressionWorkSpaceSize
DynamicLoader: ntdll.dll/RtlInitializeCriticalSection
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/RtlUserThreadStart
DynamicLoader: ntdll.dll/NtQueueApcThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtReadVirtualMemory
DynamicLoader: ntdll.dll/NtCreateFile
DynamicLoader: ntdll.dll/RtlFreeHeap
DynamicLoader: ntdll.dll/LdrGetDllHandle
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: ntdll.dll/NtQueryInformationProcess
DynamicLoader: ntdll.dll/RtlAnsiStringToUnicodeString
DynamicLoader: ntdll.dll/NtWriteVirtualMemory
DynamicLoader: ntdll.dll/RtlEnterCriticalSection
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: ntdll.dll/RtlReAllocateHeap
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtFreeVirtualMemory
DynamicLoader: ntdll.dll/NtWriteFile
DynamicLoader: ntdll.dll/NtReadFile
DynamicLoader: ntdll.dll/RtlDestroyHeap
DynamicLoader: ntdll.dll/NtDuplicateObject
DynamicLoader: ntdll.dll/RtlLeaveCriticalSection
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/Module32NextW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/SetThreadPriority
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/GetProcessId
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/GetFileSizeEx
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: wininet.dll/HttpSendRequestA
DynamicLoader: wininet.dll/InternetOpenA
DynamicLoader: wininet.dll/InternetQueryOptionA
DynamicLoader: wininet.dll/HttpAddRequestHeadersA
DynamicLoader: wininet.dll/InternetQueryOptionW
DynamicLoader: wininet.dll/InternetConnectA
DynamicLoader: wininet.dll/HttpSendRequestW
DynamicLoader: wininet.dll/InternetSetOptionA
DynamicLoader: wininet.dll/InternetCloseHandle
DynamicLoader: wininet.dll/HttpAddRequestHeadersW
DynamicLoader: wininet.dll/HttpOpenRequestA
DynamicLoader: wininet.dll/InternetReadFile
DynamicLoader: wininet.dll/GetUrlCacheEntryInfoW
DynamicLoader: wininet.dll/HttpSendRequestExA
DynamicLoader: wininet.dll/InternetQueryDataAvailable
DynamicLoader: wininet.dll/InternetCrackUrlA
DynamicLoader: wininet.dll/HttpQueryInfoA
DynamicLoader: wininet.dll/InternetReadFileExA
DynamicLoader: wininet.dll/HttpSendRequestExW
DynamicLoader: wininet.dll/InternetSetStatusCallbackW
DynamicLoader: ws2_32.dll/connect
DynamicLoader: ws2_32.dll/getaddrinfo
DynamicLoader: ws2_32.dll/WSAAddressToStringW
DynamicLoader: ws2_32.dll/WSACleanup
DynamicLoader: ws2_32.dll/getpeername
DynamicLoader: ws2_32.dll/WSAStartup
DynamicLoader: ws2_32.dll/shutdown
DynamicLoader: ws2_32.dll/WSASend
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/WSAIoctl
DynamicLoader: ws2_32.dll/getsockname
DynamicLoader: ws2_32.dll/socket
DynamicLoader: ws2_32.dll/GetAddrInfoW
DynamicLoader: ws2_32.dll/listen
DynamicLoader: ws2_32.dll/recv
DynamicLoader: ws2_32.dll/WSAStringToAddressW
DynamicLoader: ws2_32.dll/freeaddrinfo
DynamicLoader: ws2_32.dll/sendto
DynamicLoader: ws2_32.dll/closesocket
DynamicLoader: ws2_32.dll/bind
DynamicLoader: ws2_32.dll/select
DynamicLoader: ws2_32.dll/send
DynamicLoader: ws2_32.dll/accept
DynamicLoader: ADVAPI32.dll/GetLengthSid
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/InitiateSystemShutdownExW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: SHLWAPI.dll/PathRemoveBackslashW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrStrA
DynamicLoader: SHLWAPI.dll/PathQuoteSpacesW
DynamicLoader: SHLWAPI.dll/SHDeleteKeyW
DynamicLoader: SHLWAPI.dll/SHDeleteValueW
DynamicLoader: SHLWAPI.dll/PathRenameExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/wvnsprintfW
DynamicLoader: SHLWAPI.dll/wvnsprintfA
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: crypt32.dll/CertOpenSystemStoreW
DynamicLoader: crypt32.dll/CertEnumCertificatesInStore
DynamicLoader: crypt32.dll/PFXExportCertStoreEx
DynamicLoader: crypt32.dll/CertCloseStore
DynamicLoader: crypt32.dll/PFXImportCertStore
DynamicLoader: crypt32.dll/CertDuplicateCertificateContext
DynamicLoader: crypt32.dll/CertDeleteCertificateFromStore
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/ExitWindowsEx
DynamicLoader: USER32.dll/OpenInputDesktop
DynamicLoader: USER32.dll/SwitchDesktop
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: USER32.dll/OpenWindowStationW
DynamicLoader: USER32.dll/CreateWindowStationW
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/SetProcessWindowStation
DynamicLoader: USER32.dll/OpenDesktopW
DynamicLoader: USER32.dll/CreateDesktopW
DynamicLoader: USER32.dll/GetThreadDesktop
DynamicLoader: USER32.dll/SetThreadDesktop
DynamicLoader: USER32.dll/CloseWindowStation
DynamicLoader: USER32.dll/DefFrameProcW
DynamicLoader: USER32.dll/DefFrameProcA
DynamicLoader: USER32.dll/DefMDIChildProcW
DynamicLoader: USER32.dll/DefMDIChildProcA
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/CallWindowProcA
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/RegisterClassA
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/GetDCEx
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/GetWindowDC
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/GetUpdateRect
DynamicLoader: USER32.dll/GetUpdateRgn
DynamicLoader: USER32.dll/GetMessagePos
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/SetCursorPos
DynamicLoader: USER32.dll/SetCapture
DynamicLoader: USER32.dll/ReleaseCapture
DynamicLoader: USER32.dll/GetCapture
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/PeekMessageA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/DefDlgProcW
DynamicLoader: USER32.dll/DefDlgProcA
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetKeyboardState
DynamicLoader: USER32.dll/ToUnicode
DynamicLoader: USER32.dll/CloseDesktop
DynamicLoader: USER32.dll/DrawIcon
DynamicLoader: USER32.dll/GetIconInfo
DynamicLoader: USER32.dll/CharLowerA
DynamicLoader: USER32.dll/MsgWaitForMultipleObjects
DynamicLoader: USER32.dll/CharLowerBuffA
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00033800, virtual_size: 0x00033660
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\flokibot_0.0.0.12.vir
Network activity detected but not expressed in API logs
File has been identified by 57 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Agiala.16
FireEye: Generic.mg.5649e7a200df2fb8
Qihoo-360: Generic/HEUR/QVM20.1.1E3C.Malware.Gen
McAfee: GenericRXBA-SD!5649E7A200DF
Cylance: Unsafe
Zillya: Dropper.Injector.Win32.79202
K7AntiVirus: Riskware ( 0040eff71 )
Alibaba: TrojanSpy:Win32/Generic.a8379a63
K7GW: Riskware ( 0040eff71 )
Cybereason: malicious.200df2
TrendMicro: TSPY_FLOKIBOT.A
APEX: Malicious
Avast: Win32:Trojan-gen
ClamAV: Win.Trojan.Flokibot-2
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Agiala.16
NANO-Antivirus: Trojan.Win32.Inject.egzjta
Paloalto: generic.ml
AegisLab: Trojan.Win32.Generic.4!c
Tencent: Malware.Win32.Gencirc.114b17d7
Endgame: malicious (high confidence)
Sophos: Troj/Floki-A
F-Secure: Trojan.TR/Dropper.Gen
DrWeb: Trojan.PWS.Panda.11964
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.dc
Trapmine: malicious.high.ml.score
Emsisoft: Gen:Variant.Agiala.16 (B)
SentinelOne: DFI - Malicious PE
Jiangmin: TrojanDropper.Injector.bkkj
Webroot: W32.Trojan.Dynamer
Avira: TR/Dropper.Gen
Fortinet: W32/Generic.AC.3920D9!tr
Antiy-AVL: Trojan[Dropper]/Win32.Injector
Arcabit: Trojan.Agiala.16
ViRobot: Dropper.Agent.238080.G
AhnLab-V3: Dropper/Win32.Injector.C1595901
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: PWS:Win32/Zbot!rfn
ESET-NOD32: a variant of Win32/Spy.Zbot.ACS
Acronis: suspicious
BitDefenderTheta: Gen:[email protected]
ALYac: Trojan.Flokibot
MAX: malware (ai score=100)
VBA32: BScope.TrojanPSW.Panda
TrendMicro-HouseCall: TSPY_FLOKIBOT.A
Rising: Spyware.Zbot!8.16B (CLOUD)
Yandex: Trojan.DR.Injector!KGhg+XZ3sdU
Ikarus: Trojan.Kazy
eGambit: Unsafe.AI_Score_63%
GData: Gen:Variant.Agiala.16
Ad-Aware: Gen:Variant.Agiala.16
AVG: Win32:Trojan-gen
Panda: Trj/CI.A
CrowdStrike: win/malicious_confidence_90% (W)
MaxSecure: Trojan.Malware.9998282.susgen
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\*.dll
C:\Windows\System32
C:\Windows\System32\ntdll.dll
C:\Windows\System32\ntdll.dll
DisableUserModeCallbackFilter
DisableUserModeCallbackFilter
ntdll.dll.NtOpenProcess
ntdll.dll.NtProtectVirtualMemory
ntdll.dll.NtQueryDirectoryFile
ntdll.dll.RtlCompressBuffer
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.NtMapViewOfSection
ntdll.dll.RtlAllocateHeap
ntdll.dll.RtlDeleteCriticalSection
ntdll.dll.LdrLoadDll
ntdll.dll.NtAlertResumeThread
ntdll.dll.RtlCreateHeap
ntdll.dll.RtlGetCompressionWorkSpaceSize
ntdll.dll.RtlInitializeCriticalSection
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.RtlUserThreadStart
ntdll.dll.NtQueueApcThread
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtReadVirtualMemory
ntdll.dll.NtCreateFile
ntdll.dll.RtlFreeHeap
ntdll.dll.LdrGetDllHandle
ntdll.dll.RtlDecompressBuffer
ntdll.dll.NtQueryVirtualMemory
ntdll.dll.NtQueryInformationProcess
ntdll.dll.RtlAnsiStringToUnicodeString
ntdll.dll.NtWriteVirtualMemory
ntdll.dll.RtlEnterCriticalSection
ntdll.dll.NtResumeThread
ntdll.dll.RtlReAllocateHeap
ntdll.dll.NtClose
ntdll.dll.NtCreateSection
ntdll.dll.NtSetContextThread
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtFreeVirtualMemory
ntdll.dll.NtWriteFile
ntdll.dll.NtReadFile
ntdll.dll.RtlDestroyHeap
ntdll.dll.NtDuplicateObject
ntdll.dll.RtlLeaveCriticalSection
kernel32.dll.FindNextFileW
kernel32.dll.VirtualQueryEx
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.OpenMutexW
kernel32.dll.GetProcAddress
kernel32.dll.GetCurrentThreadId
kernel32.dll.Module32FirstW
kernel32.dll.SetFileAttributesW
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
kernel32.dll.Module32NextW
kernel32.dll.GetSystemInfo
kernel32.dll.FindClose
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.GetFileAttributesW
kernel32.dll.ReadFile
kernel32.dll.ReadProcessMemory
kernel32.dll.CopyFileW
kernel32.dll.SetThreadPriority
kernel32.dll.CreateFileW
kernel32.dll.WideCharToMultiByte
kernel32.dll.Sleep
kernel32.dll.GetCommandLineW
kernel32.dll.GetProcessId
kernel32.dll.CreateMutexW
kernel32.dll.CreateThread
kernel32.dll.VirtualProtectEx
kernel32.dll.Thread32Next
kernel32.dll.SetLastError
kernel32.dll.lstrcmpiW
kernel32.dll.TerminateProcess
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetEvent
kernel32.dll.DuplicateHandle
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.IsWow64Process
kernel32.dll.VirtualAllocEx
kernel32.dll.GlobalUnlock
kernel32.dll.Thread32First
kernel32.dll.SetThreadContext
kernel32.dll.FindFirstFileW
kernel32.dll.IsBadReadPtr
kernel32.dll.CreateEventW
kernel32.dll.GetLocalTime
kernel32.dll.WriteProcessMemory
kernel32.dll.GetNativeSystemInfo
kernel32.dll.Process32NextW
kernel32.dll.GetFileSizeEx
kernel32.dll.WriteFile
kernel32.dll.GetThreadContext
kernel32.dll.ExitProcess
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetSystemTime
kernel32.dll.DeleteFileW
kernel32.dll.GetCurrentThread
kernel32.dll.ResetEvent
kernel32.dll.lstrcmpiA
kernel32.dll.ReleaseMutex
kernel32.dll.GetLastError
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.MoveFileExW
kernel32.dll.Process32FirstW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetComputerNameW
kernel32.dll.OpenProcess
kernel32.dll.GetTempPathW
kernel32.dll.GlobalLock
kernel32.dll.GetVersionExW
kernel32.dll.CreateRemoteThread
kernel32.dll.VirtualFreeEx
kernel32.dll.VirtualQuery
kernel32.dll.LoadLibraryW
kernel32.dll.GetTickCount
kernel32.dll.MultiByteToWideChar
kernel32.dll.VirtualFree
kernel32.dll.GetCurrentProcessId
kernel32.dll.VirtualAlloc
kernel32.dll.CreateProcessW
kernel32.dll.FlushFileBuffers
kernel32.dll.LoadLibraryA
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateDirectoryW
user32.dll.TranslateMessage
user32.dll.GetClipboardData
user32.dll.SendMessageW
user32.dll.GetWindowTextLengthW
user32.dll.PostMessageW
user32.dll.IsWindow
user32.dll.ExitWindowsEx
user32.dll.OpenInputDesktop
user32.dll.SwitchDesktop
user32.dll.GetUserObjectInformationW
user32.dll.OpenWindowStationW
user32.dll.CreateWindowStationW
user32.dll.GetProcessWindowStation
user32.dll.SetProcessWindowStation
user32.dll.OpenDesktopW
user32.dll.CreateDesktopW
user32.dll.GetThreadDesktop
user32.dll.SetThreadDesktop
user32.dll.CloseWindowStation
user32.dll.DefFrameProcW
user32.dll.DefFrameProcA
user32.dll.DefMDIChildProcW
user32.dll.DefMDIChildProcA
user32.dll.CallWindowProcW
user32.dll.CallWindowProcA
user32.dll.RegisterClassW
user32.dll.RegisterClassA
user32.dll.RegisterClassExW
user32.dll.RegisterClassExA
user32.dll.BeginPaint
user32.dll.EndPaint
user32.dll.GetDCEx
user32.dll.GetDC
user32.dll.GetWindowDC
user32.dll.ReleaseDC
user32.dll.GetUpdateRect
user32.dll.GetUpdateRgn
user32.dll.GetMessagePos
user32.dll.GetCursorPos
user32.dll.SetCursorPos
user32.dll.SetCapture
user32.dll.ReleaseCapture
user32.dll.GetCapture
user32.dll.GetMessageW
user32.dll.GetMessageA
user32.dll.PeekMessageW
user32.dll.PeekMessageA
user32.dll.DefWindowProcA
user32.dll.DefDlgProcW
user32.dll.DefDlgProcA
user32.dll.DefWindowProcW
user32.dll.GetKeyboardState
user32.dll.ToUnicode
user32.dll.CloseDesktop
user32.dll.DrawIcon
user32.dll.GetIconInfo
user32.dll.CharLowerA
user32.dll.MsgWaitForMultipleObjects
user32.dll.CharLowerBuffA
user32.dll.GetDesktopWindow
user32.dll.GetWindowRect
gdi32.dll.CreateDCW
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.GetDeviceCaps
gdi32.dll.SelectObject
gdi32.dll.BitBlt
gdi32.dll.DeleteObject
gdi32.dll.DeleteDC
ole32.dll.CreateStreamOnHGlobal
wininet.dll.HttpSendRequestA
wininet.dll.InternetOpenA
wininet.dll.InternetQueryOptionA
wininet.dll.HttpAddRequestHeadersA
wininet.dll.InternetQueryOptionW
wininet.dll.InternetConnectA
wininet.dll.HttpSendRequestW
wininet.dll.InternetSetOptionA
wininet.dll.InternetCloseHandle
wininet.dll.HttpAddRequestHeadersW
wininet.dll.HttpOpenRequestA
wininet.dll.InternetReadFile
wininet.dll.GetUrlCacheEntryInfoW
wininet.dll.HttpSendRequestExA
wininet.dll.InternetQueryDataAvailable
wininet.dll.InternetCrackUrlA
wininet.dll.HttpQueryInfoA
wininet.dll.InternetReadFileExA
wininet.dll.HttpSendRequestExW
wininet.dll.InternetSetStatusCallbackW
ws2_32.dll.connect
ws2_32.dll.getaddrinfo
ws2_32.dll.WSAAddressToStringW
ws2_32.dll.WSACleanup
ws2_32.dll.getpeername
ws2_32.dll.WSAStartup
ws2_32.dll.shutdown
ws2_32.dll.WSASend
ws2_32.dll.setsockopt
ws2_32.dll.WSAIoctl
ws2_32.dll.getsockname
ws2_32.dll.socket
ws2_32.dll.GetAddrInfoW
ws2_32.dll.listen
ws2_32.dll.recv
ws2_32.dll.WSAStringToAddressW
ws2_32.dll.freeaddrinfo
ws2_32.dll.sendto
ws2_32.dll.closesocket
ws2_32.dll.bind
ws2_32.dll.select
ws2_32.dll.send
ws2_32.dll.accept
advapi32.dll.GetLengthSid
advapi32.dll.ConvertSidToStringSidW
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExW
advapi32.dll.InitiateSystemShutdownExW
shell32.dll.SHGetFolderPathW
shlwapi.dll.PathRemoveBackslashW
shlwapi.dll.StrStrW
shlwapi.dll.StrStrA
shlwapi.dll.PathQuoteSpacesW
shlwapi.dll.SHDeleteKeyW
shlwapi.dll.SHDeleteValueW
shlwapi.dll.PathRenameExtensionW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.wvnsprintfW
shlwapi.dll.wvnsprintfA
secur32.dll.GetUserNameExW
crypt32.dll.CertOpenSystemStoreW
crypt32.dll.CertEnumCertificatesInStore
crypt32.dll.PFXExportCertStoreEx
crypt32.dll.CertCloseStore
crypt32.dll.PFXImportCertStore
crypt32.dll.CertDuplicateCertificateContext
crypt32.dll.CertDeleteCertificateFromStore

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00402679 0x00000000 0x0003d740 5.1 2016-10-05 10:19:18 43e464016faeb4bab85676f508decd6e

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00003b3e 0x00003c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.06
.data 0x00004000 0x00005000 0x00003348 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.45
.rsrc 0x00006200 0x00009000 0x00033660 0x00033800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00
.reloc 0x00039a00 0x0003d000 0x000006d6 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.26

Resources

Name Offset Size Language Sub-language Entropy File type
RT_RCDATA 0x0003c650 0x00000010 LANG_NEUTRAL SUBLANG_NEUTRAL 3.88 None
RT_RCDATA 0x0003c650 0x00000010 LANG_NEUTRAL SUBLANG_NEUTRAL 3.88 None
RT_RCDATA 0x0003c650 0x00000010 LANG_NEUTRAL SUBLANG_NEUTRAL 3.88 None


.text
`.data
.rsrc
@.reloc
Hash: 0x%x not loaded.
V(j|3
Ep_^[
t>9>u:h
QSUVW
_^][Y
VPQSS
t,VVVj
WVVVS
tGSSSh
t&SSSj
SSSSV
E#+E/^ZY
FreeResource
MapViewOfFile
UnmapViewOfFile
FindResourceW
LoadResource
GetProcessHeap
IsBadReadPtr
SizeofResource
CreateFileMappingW
LockResource
KERNEL32.dll
MessageBoxA
wsprintfA
USER32.dll
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
ADVAPI32.dll
L$lh[
L$lhy/|
L$lh:
L$lhp
L$lh^
t$ Wh
HcK<H
(D$0H
(D$PH
|$ AVAWHcB<E3
|$0A_A^
UVATAUH
8A]A\^]
8A]A\^]
+otm\
+otmp
$T}'t
xH% "R
+3$YA
|3uNk
BCDoi
>qoiQ!2
pX|wJ
*8=3{
}$U4U
yor<g&
Pg9Su
)~~i|j
|e&#p
@sf0qC`{c
(@-F&
wN`p&
S+csC
hUF`_A
v#<x)
Lk7N,
|P?L2
A+KJ,Cv
^bC81
.W:`s
+a9X[
r5Yow
eV!J5:S)
2hGIC
D(~W<
5 zs
kKgdE0
qH5KX
KF9+J
A-eW$
+wQM-W!
1~sn;
b\mq0
*ucTh
*GoD+
hl+Ug?'
b*BE2
qjaqo
~^']G
OBK|{g
;8yes
CP E&o
w.PdN
&<t]IY+
F?^}}
uS[Oh)
M>?rq
&snY(
{ZA._
0ls#Uh{EOlr7
;q=;N
,Hddc
Cb7E,
n>Dj=x8
jFz:v
B['\8
%1AcT{
p|W#f+
3Ro+^Bo
{Oy=?
]Nhb5g
6Y]{@
5sCI5l
FjNAZ
$.)VZ2
%y/x4c
+g=}#
v]!uE
@|\|`-
I+Q66
UTqUfE
3*W ]
T}+0C
hv{3K
7}FNN:
Jw[b8%
ybx5Ll:3
_d:1Pb
t|:>f
L Pb,
%H=x
5"f;*
)&O</)
pv%E;
3qRO]
3b/qAWn
-,WDzq
X;/9(
]|ppU
IKiZAL
_mNrg
8V_V;
QD!U<
!E'csp
-\My~
<[%0&
c3g{j
HWjcg
UtY1|$
v/re&;s
p*)&@
&-nF^
}fA%
8QH!A
&R!nq
IrEX~!
y1`/jlI3
57N/sA
=`@V-
0m|#<
Q`?vC`
tw?>P;G
w(C$<
wiQgQ
,0:Sr
UBRK"
m2"}e
7 ys`
EnacT
s:fD}
C'-S9
|US4O
~_E8f
+'0`j
2`X*r
n9?/e
DBxzf
n#`Lc
(Tl5n6d
mT.2!J
jva&M
6r7go
&b?]$u
Q!v`M~
zh+UB
r^n)^{
qaA1s
R(g5"-z
.xIg4
b8D0.bqB
%>*#;
O];UD'
sbVVUc
KEAnw*
jC"'TF
b2l7?
Q|q=!UHzg
1Y}nZIX
ts^Yb
[io94D
?>ZVB
^FtMI
u%Qr|F3
*S$GLl
w}-$!
,E4u%
CU+h=
ybEUHR6
fS6"t
ged(Y
`zk([
L)*W8
W}/+*
o^G?6
$s-|$
,>`i&
g}7<fW
+wzT
&qrt4
9y`X#Cs|
US\py
w"eZ[
'rUhQn
bc*;/
N&KAx
+aO4s
|iXW~
fU%&8
fLD/p&3
5pz2U
VU[1[
L}(%)
;GLSK7
i3Sw"
w6.'GP
3$%5(
rg dVZCr
]!-XQ
QVPLth
Ftcr1u
6U=|"
pYM3y
NbEPF
1~M|<@
?q]_5
}hc%6Q
QP*Cnh
{I7pDu
$9C'N
{<u]F$
3CyWA
pt)4aF
iqWyw
GYbBy
R,-0"g
t#[DJ
2elz/ 9
n9UhV
M_LcU
C8d[;oNSy\
b_Z:(
>TbIH
(7n_p
B}jq0
>nIL`
N_Hlc
k}GVLR\c!m'[
j+=%N!/
]8Hz(
mzUJbMa
MB**~
7dyt-
Gz5arv
'7:n2I
)$}F6
ojb+u
|Qnw#EU
6:jt^H
vx7c#
a)r]d
q",0q
0C63(
AOG=(ow
LYiC3
E*q-#8
1kPW8k
991U:
%yx$d
Sb5gO,]
Fc-{[*
h^dAWY
h;uJWT3*
IUaZp+d
=0wl\
@)j:X
m}VBw:*7r
-KBBv1
h8w5|z
*sOe;x
1O#eB
0uT;
( 0l}
MJY+c
RiH<(c
$'>&{
jO'I3
`1h.N
Q#C7|
Zn'Upuc
;Kt!l*o
@)|<@
4Zvw'z
;&6`!
FL:4y|
0Z/1N
x"\"6
z0rx}
|fdEY
W]O|!
@gy4B
:7Tc&h
h_PzB
Yj}Mc
; OAI
-2n(y
U*Z;<Lx
#KVI?
teCx%`
ECrW,
0"~az
rz):IN
;J{\b
UP<A;0
xBz&`
bz"z4?
D!Bpw
[$hq>?
Rr3/.V
?n*iA
H'iLNT
1u$.GE
"|DP
3rxc5
j =fi
L>txs
M3|fy
RJ]>A
}|%ur
>dvR)/
^c0<|
A(nA<
!:GEQ!
k!"8a
*Q*r`
8z&[S
1Of!wL
KO`;d
Rf!O#
Xdhfv
kqO:Sw^\k
bxV$uio
4_[S%,
|A\4b+
syh#J
u:b&K
pd7;k
^-[",mL~
^&|w=C
ZDM<P
%Dn?~
aV24\
DLSyJ
(%^kE
+N-%(
,pP#W
{uO]2I
aVyOx
*,m0NclW=
g:iy"
KuksS
6<F$r
@4G>F^
M$C9e
b_n=l
z3/13O>n
L[VV0
7>"Gp%E
5SlbOF
CdRc,nS
X>6G_
5KO+p
P5Hwyf
&2J!W
#t8mX
INEZ'
(n.n0
.-=vT)
z34l7
K;*Iz&
q[~.}qhq
3Npx*@
cA"I<
H.{^E
m-7X<
%eg%w
6Vb!J
V&lbh
b$b-m
F(`t
S*}Cf
gZ0QS
043El
Z"m6H
6uUWV
52f5Ef#
lPC=M
4hr7a
E#ITys
f=g>r
v&yCG
{e"co"
}Ku<jH
eG!({
%j</5/\
ET2SI
D/caz
A:sOTK
X\2HD
vzZ]zwy
A~Ei<
WfiKI
<KM8V
a)_}3
^SY`m
xl1_V&
Uccy/FX"
.;8R1
v7EqH
&5:?H
?jz*[.
7rNZ}
Tr7NG
)GT1m
<GpvG
[_4i,
&4iS-v
Ar/;h
gxcN)
1^x?j
x`#,|
#_+Xh
tZ/iVr
R'|uh
A=/~4|jH
BDxCd
irzq~
EPaN[
Tge&:,D
'oY8t
r)TD"
39B*k
\jwBe5y
nL_~-
da~N_7D
Q(AYg
mr_AG
GF^9a
4>l{
S$',|M
WU}tM
M' 5P
9z4^oS
!yO?q\
k-5|@|
` q#^
&?lo.
!K"qe
;5?M8=]
m'$x`
D"3ka
`{{`p
hu vzQ
P`<:m
mTz(T
"R=];
"XgK>
Xj+yBD
vPH]/J
wZ>aOtL
Ee1wbc
i+]{\o
F0Fm~
MHF,f
8Er^\
ULKl{
g:/;S
o`Cvu
_x-`p
xbj8yN
o*i\|
Cijlyqg
C&Dm8
RI&*7
j|1?\yp
f?bUI
s.|$*
%!o7]
Ls#'|
V%&r|
+W(CM-o
+xai4
J18fR
J&Uh-2
=5k]%
G` .<w'
Sr545_)
Wv-U9
\w(W$
7b+u!(
0{jLJ
rF8q]l
$}$u,
}.(/rh
\[l*q
BET v
rT^CZ
vvBK)L
!ARX`Jk|
J|6v/6<
-o[Yiez9
qCfX}
%ixnM
43D$0
L5~}P
Og3.m
f\("a!
|ndCY=_+T
<LU9!a
Nb'mR<)Jq
*V6p*t
S'- @
Z,&%G
Ou/#j
jU]zg
F0n6
n!k^%
~zPfLB
Qjkk
BU.t|G
D!6[7ss
!(-ZcO
PbKU:n
ZQ+KU}
7;G}*
*r#zwi
)z R'
&qh*C
Zll#N
fJsfs
whqbQ
0Jwn
H(5^G
<em$|*l
Uy^h*
oNq.M?
WJY/n"
cZ5zn
iA(eE1JR
0z#HY
g4,Fwy7Fs|
~bR!8
Gs"z%%
;v9r0
.>ss`
JFH5;8=k
x7[ke_
SSI[`
KJQtEQ!
<_P_]
76_/K
tQ_P2
sva.q
xXndE
%`Y,y*
kxeeJ
s/a~f
oG"JG
>6|h[
#!9zx
_"}Ht
YElV>
A5r"
j[F_L
$ibpA
Pb=.M
a$M2R
lOa 3x
"sIgzP
ssX*3
I{u;@7
-+#tV
BE.=C
t]x)l~
(Lk(?
cY}w9
eyat7
LG J4
Rpx>;.
q]Kw+i
@WZ".Nj
,=4Q\
)-htN
N.[SKm
K~U>J:
KWv;al
Wm(Fl&
;""Yzs
}O>PlP
7w0Zn
Qh|4'
.NG!H
cT8X$
{y{?5
;@_J,Be
7',F\=P
emi8^
0}LB~7
n"5Y~P
pq&;ev
jdE?n
_IDS*Yx
O0 ijt
2wrlTEC
%bB6TP
X$MPg6]
.]>n&
^%]f9"
ws^1q<
kohNS
IbF8Q
;HXTF
?m1zD
{_B^B_
|ZxiA
SFYcEX\
oq5UY
`-yaX
S&+jxS
rWnk2r+
#"p<Xw
SuZs
4`N<J
f1L9,
$S]WL
gHC{W
+>fBo
xYiW;
+ L)\
{7.P3
,\C$D
?peO
oQ4OG
?ik%m
@4[Hr
D"jF[
1RQUSC
R"03U,
hF<~l
/"a!t^
;;y;m
"SsJ>
IP5P(
;J->z
i03ZSI=
QlFtc
d_ Hez
HY#=|
K7q"5v
qQ!)~
@3m"d
"l'"6v]
l0*SE
u<$f%
$,p1H
DJ'3+
Bt|4n
H9n;w:"
(Z5iVV
+y62;
eh9J4
Dnf)"QnYe
/rSg,
)(4sQe7
|/\lGJu
A#JH[
\iZIpr
+tlc%
A<}K=
X1sA%t
#[ #IPi
Vj-W#}
h'+%;
.8+.`w
r5>@PL
SS]MW
OdJhA
bjh.&
5xNMP
s#{|w
R6*d3w
xMK7S
EHuR:?
.%$[C
TWM*!:
$*:k{I
q5voW
$}p`^
AA+c^
<|AeV
>Z{h8
(oyvT*>
LaFPtY
`yMyp[
X6|lu
@C3xD
<:e`E
+}AGR^p
7j0HTY
~<~.h
QZybO
NreX;@
<V+d/1
~2e')
t(!^x
v{k3b
b5\>w)
=.>en
#G0o&/
ndJvpC
Pb&#*
+<Yk#
9m$5T
p<|pb
RumV^
K}~W?
&'p4VBM
~eM}5
%ZHX>
'\;6?
]F#Rp
I{MBE
H'}7ti
q)*NR~
de{&u
$e.nI
KR/)p
\er#b
3cAw}
$vkr6
Jg"J/
QYakT
v`]^8
_E<4V
l.'aM.
1BZFb%
D5_#`
.&*EP3
^TzX8
u';~Lv
2lRHG
IG}=H
EAuQ$
[aN{i
ahVAO
QYYEl
01"{nV
/'^t"
W)WQ
ONigf
F"Ig4%
;;5'Oi
cn;SG
E74Fcbp
Y4~NB
YUEU:V
GrOg}
6aK9M.
oA=>oYl
Do1U-
mwt=SH
nAB'l
~\"fo
#DS 3/
;@R)>
7<'{s
I~BkK
F/c>A
hMv\uL
4x&{j
|-F.D
Jqd.J
}?/DQ
4-C`h
d4~)b
ET0zw
=:!)so
:Q&1>
;Z99
hWbH5l
a[V?9
!~Y#z
oL_7]
EV$cK
WRo-O
d9Opk3
pWIkb
]{'R=
UU?-'U
E~W/,
Pci(N&}
N"9oV`
.X!_1
~?iSG
nrX7k
tkbFJ{
x8GEr
%%Kak
{Vt(i
NO1AE
]vw_'$EC
cvY]{nf
L7'rC"I
%d\3q
&$~sY
_pe{5
{S;wb
c`6.j
;{ceh
"Uu[_
M/Nl
JZ7DTz9x
`b3}z
0f#ud
4o|1!
<dGnu
R?}\`
*i8m"|
Qa^Pk
}T]Dxz
1T0<&
I0U"j
)mvd8g
Z^Lp^
W]W.hGu
3+]$y
Po-{5
iDRMn
vI>:M
' jwwez
NBy>O}
,mF=T
)x-X.
lzgobp
T{G_I
4:q^l
FMzXS?
tu$?T
JP=Xs]9
~4ZVH
C+4n,"A
-7<04tn=k
M#9Pl
'Eur;/
3N=|y
.jz&]
+"gTV
p}Dq~
gKrGX
f(@zb
j%2HS
}n1Gq
=' Q#%
e6*CE
?uyO,@
%~(Im05
2Bd4;D>:-
.znQ-
;T*Y:
!G#C.#
t-8y<
Nv"7/vp
4o3#i
?P8"-O
P))6Y
'7{~z
[H7s tS
Jp0'O
|RUw~
"%PT!
WbPQv
+)jnUl
sl7f?
mweoU
(!fE! [m
mtbXOM
;C|?-c
.=e)G
8ZXn`R8
_g7i>K
2a?=n
Z&]e|
|dnRa
Yx74/{
P>jO=
v[QA?
b%2HC
Km|M]
#-%0r
Rf6jaa
UaZEd
tH)etM=,
!'z*O
=0)$D
UCYJ(/
{*C\R
odR}k
lvJf,
z/+5f
u}f6_1
'/"|1
VWh/t
~$By\]
]:PA:
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
3B3I3\3f3
3+4>4H4s4
6.6?6O6\6a6f6l6r6}6
7.7:7O7Z7f7q7
8&8,8
8M9M:^:n:t:
:%;a;y;
;><b<
=;?q?
5"5T5`5n5u5
8.9J9S9 :9:~:
3 3(3,[email protected]\3d3h3p3t3|3
4$4(40444<[email protected]`4d4l4p4x4|4
5 5$5,50585<5D5H5P5T5\5`5h5l5t5x5
6 6(6,[email protected]\6d6h6p6t6|6
7$7(70747<[email protected]`7d7l7p7x7|7
8 8$8,80888<8D8H8P8T8\8`8h8l8t8x8
9 9(9,[email protected]\9d9h9p9t9|9
:$:(:0:4:<:@:H:L:T:X:`:d:l:p:x:|:
; ;$;,;0;8;<;D;H;P;T;\;`;h;l;t;x;
< <(<,<4<8<@<D<L<P<X<\<d<h<p<t<|<
=$=(=0=4=<[email protected]=H=L=T=X=`=d=l=p=x=|=
> >$>,>0>8><>D>H>P>T>\>`>h>l>t>x>
? ?(?,[email protected]?D?L?P?X?\?d?h?p?t?|?
0$0(00040<[email protected]`0
\*.dll
S:(ML;;NRNWNX;;;LW)
%s\%s
*.dll
%s\SysWOW64\explorer.exe
%s\explorer.exe
%s\SysWOW64\svchost.exe
%s\svchost.exe
bot32
bot64
BOT32
BOT64

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Gen:Variant.Agiala.16 FireEye Generic.mg.5649e7a200df2fb8
CAT-QuickHeal Clean Qihoo-360 Generic/HEUR/QVM20.1.1E3C.Malware.Gen McAfee GenericRXBA-SD!5649E7A200DF
Cylance Unsafe Zillya Dropper.Injector.Win32.79202 SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Riskware ( 0040eff71 ) Alibaba TrojanSpy:Win32/Generic.a8379a63
K7GW Riskware ( 0040eff71 ) Cybereason malicious.200df2 TrendMicro TSPY_FLOKIBOT.A
Baidu Clean F-Prot Clean TotalDefense Clean
APEX Malicious Avast Win32:Trojan-gen ClamAV Win.Trojan.Flokibot-2
Kaspersky HEUR:Trojan.Win32.Generic BitDefender Gen:Variant.Agiala.16 NANO-Antivirus Trojan.Win32.Inject.egzjta
Paloalto generic.ml AegisLab Trojan.Win32.Generic.4!c Tencent Malware.Win32.Gencirc.114b17d7
Endgame malicious (high confidence) Sophos Troj/Floki-A Comodo Clean
F-Secure Trojan.TR/Dropper.Gen DrWeb Trojan.PWS.Panda.11964 VIPRE Trojan.Win32.Generic!BT
Invincea heuristic McAfee-GW-Edition BehavesLike.Win32.Generic.dc Trapmine malicious.high.ml.score
CMC Clean Emsisoft Gen:Variant.Agiala.16 (B) SentinelOne DFI - Malicious PE
Cyren Clean Jiangmin TrojanDropper.Injector.bkkj Webroot W32.Trojan.Dynamer
Avira TR/Dropper.Gen Fortinet W32/Generic.AC.3920D9!tr Antiy-AVL Trojan[Dropper]/Win32.Injector
Kingsoft Clean Arcabit Trojan.Agiala.16 ViRobot Dropper.Agent.238080.G
AhnLab-V3 Dropper/Win32.Injector.C1595901 ZoneAlarm HEUR:Trojan.Win32.Generic Avast-Mobile Clean
Microsoft PWS:Win32/Zbot!rfn TACHYON Clean ESET-NOD32 a variant of Win32/Spy.Zbot.ACS
Acronis suspicious BitDefenderTheta Gen:[email protected] ALYac Trojan.Flokibot
MAX malware (ai score=100) VBA32 BScope.TrojanPSW.Panda Malwarebytes Clean
Zoner Clean TrendMicro-HouseCall TSPY_FLOKIBOT.A Rising Spyware.Zbot!8.16B (CLOUD)
Yandex Trojan.DR.Injector!KGhg+XZ3sdU Ikarus Trojan.Kazy eGambit Unsafe.AI_Score_63%
GData Gen:Variant.Agiala.16 Ad-Aware Gen:Variant.Agiala.16 AVG Win32:Trojan-gen
Panda Trj/CI.A CrowdStrike win/malicious_confidence_90% (W) MaxSecure Trojan.Malware.9998282.susgen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.3 58700 1.1.1.1 53
192.168.1.3 60886 1.1.1.1 53
192.168.1.3 137 192.168.1.255 137
192.168.1.3 58700 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-07-19 17:00:56.336 192.168.1.3 [VT] 49180 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-07-19 17:00:56.338 192.168.1.3 [VT] 49180 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.3 49180 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 8.073 seconds )

    • 5.235 Suricata
    • 1.797 BehaviorAnalysis
    • 0.475 VirusTotal
    • 0.275 Static
    • 0.083 AnalysisInfo
    • 0.08 NetworkAnalysis
    • 0.047 Deduplicate
    • 0.031 CAPE
    • 0.026 TargetInfo
    • 0.008 Debug
    • 0.008 peid
    • 0.008 Strings

    Signatures ( 0.11100000000000004 seconds )

    • 0.011 ransomware_files
    • 0.007 antiav_detectreg
    • 0.007 ransomware_extensions
    • 0.005 antiemu_wine_func
    • 0.005 antiav_detectfile
    • 0.005 infostealer_ftp
    • 0.004 Doppelganging
    • 0.004 api_spamming
    • 0.004 decoy_document
    • 0.004 dynamic_function_loading
    • 0.004 stealth_timeout
    • 0.004 infostealer_bitcoin
    • 0.004 territorial_disputes_sigs
    • 0.003 infostealer_browser_password
    • 0.003 kovter_behavior
    • 0.003 malicious_dynamic_function_loading
    • 0.003 persistence_autorun
    • 0.003 NewtWire Behavior
    • 0.003 antianalysis_detectfile
    • 0.003 infostealer_im
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.002 browser_security
    • 0.002 infostealer_mail
    • 0.002 masquerade_process_name
    • 0.001 betabot_behavior
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 kibex_behavior
    • 0.001 tinba_behavior
    • 0.001 antianalysis_detectreg
    • 0.001 antidbg_devices
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior

    Reporting ( 1.3539999999999999 seconds )

    • 1.047 BinGraph
    • 0.307 MITRE_TTPS