Edit tour

Windows Analysis Report
OEoRzjI7JgSiUUd.exe

Overview

General Information

Sample name:	OEoRzjI7JgSiUUd.exe
Analysis ID:	1622870
MD5:	9198587cb5ed3fac57fe2693b7218dca
SHA1:	8cd1838744b27b7ea50f62a1f32d9eb8f93aafe5
SHA256:	b6383a5fe17a23dce23e59aee55a9d304e60b25cc7cefe9d97e7703b0886c1bf
Tags:	exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OEoRzjI7JgSiUUd.exe (PID: 3132 cmdline: "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe" MD5: 9198587CB5ED3FAC57FE2693B7218DCA)

powershell.exe (PID: 6340 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7812 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp15A7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7992 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

yteYLhteU.exe (PID: 7492 cmdline: C:\Users\user\AppData\Roaming\yteYLhteU.exe MD5: 9198587CB5ED3FAC57FE2693B7218DCA)

schtasks.exe (PID: 8164 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 4504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

schtasks.exe (PID: 7364 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp3871.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 6808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

VKLIKWXJXPZTHN.exe (PID: 8052 cmdline: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17650:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4a1b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1325f:$des3: 68 03 66 00 00 0x17650:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1771c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17670:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4a3b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1327f:$des3: 68 03 66 00 00 0x17670:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1773c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17da0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x516b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x139af:$des3: 68 03 66 00 00 0x17da0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17e6c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2956376552.0000000001328000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17d80:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x514b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1398f:$des3: 68 03 66 00 00 0x17d80:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17e4c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2536c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1271f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x20f63:$des3: 68 03 66 00 00 0x2536c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x25438:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: OEoRzjI7JgSiUUd.exe PID: 3132	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3344:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x2fe9d:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x5fd0c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: yteYLhteU.exe PID: 7492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7992	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7992	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 7992	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7992	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1dcf:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: RegSvcs.exe PID: 4504	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 4504	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 4504	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 4504	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3275e:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x44a32:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
17.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.RegSvcs.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
17.2.RegSvcs.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
17.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
8.2.RegSvcs.exe.4d49260.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.4d49260.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.4d49260.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.4d49260.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
8.2.RegSvcs.exe.4d49260.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.RegSvcs.exe.3f49990.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.RegSvcs.exe.3f49990.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.RegSvcs.exe.3f49990.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.RegSvcs.exe.3f49990.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
24.2.RegSvcs.exe.3f49990.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.4d63280.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.4d63280.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.4d63280.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4d63280.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.4d63280.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.4d63280.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
8.2.RegSvcs.exe.4d63280.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.4d63280.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
8.2.RegSvcs.exe.4d63280.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.4d63280.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.4d63280.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.4d63280.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
8.2.RegSvcs.exe.4d63280.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.RegSvcs.exe.3f639b0.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.RegSvcs.exe.3f639b0.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.RegSvcs.exe.3f639b0.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.RegSvcs.exe.3f639b0.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
24.2.RegSvcs.exe.3f639b0.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.RegSvcs.exe.3f49990.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
24.2.RegSvcs.exe.3f49990.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.RegSvcs.exe.3f49990.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.RegSvcs.exe.3f49990.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.RegSvcs.exe.3f49990.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.RegSvcs.exe.3f49990.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
24.2.RegSvcs.exe.3f49990.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.RegSvcs.exe.3f49990.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
17.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
17.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.RegSvcs.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
17.2.RegSvcs.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
17.2.RegSvcs.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
8.2.RegSvcs.exe.4d49260.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.4d49260.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.4d49260.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.4d49260.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.4d49260.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.4d49260.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
8.2.RegSvcs.exe.4d49260.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.4d49260.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.RegSvcs.exe.3f639b0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ParentImage: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe, ParentProcessId: 3132, ParentProcessName: OEoRzjI7JgSiUUd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ProcessId: 6340, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yteYLhteU.exe, ParentImage: C:\Users\user\AppData\Roaming\yteYLhteU.exe, ParentProcessId: 7492, ParentProcessName: yteYLhteU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp", ProcessId: 8164, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ParentImage: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe, ParentProcessId: 3132, ParentProcessName: OEoRzjI7JgSiUUd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", ProcessId: 7304, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ParentImage: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe, ParentProcessId: 3132, ParentProcessName: OEoRzjI7JgSiUUd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ProcessId: 6340, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe", ParentImage: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe, ParentProcessId: 3132, ParentProcessName: OEoRzjI7JgSiUUd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp", ProcessId: 7304, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:23.828149+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49738	104.21.96.1	80	TCP
2025-02-24T16:42:25.856355+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49739	104.21.96.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:23.092975+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.96.1	80	TCP
2025-02-24T16:42:25.097025+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.96.1	80	TCP
2025-02-24T16:42:25.979331+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.96.1	80	TCP
2025-02-24T16:42:27.987839+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.96.1	80	TCP
2025-02-24T16:42:29.896862+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.96.1	80	TCP
2025-02-24T16:42:31.897018+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.96.1	80	TCP
2025-02-24T16:42:33.913970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.96.1	80	TCP
2025-02-24T16:42:35.838809+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.96.1	80	TCP
2025-02-24T16:42:37.783674+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.96.1	80	TCP
2025-02-24T16:42:39.794187+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.96.1	80	TCP
2025-02-24T16:42:41.723340+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.96.1	80	TCP
2025-02-24T16:42:43.712441+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.96.1	80	TCP
2025-02-24T16:42:45.644995+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.96.1	80	TCP
2025-02-24T16:42:47.597053+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.96.1	80	TCP
2025-02-24T16:42:49.573091+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.96.1	80	TCP
2025-02-24T16:42:52.489924+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.96.1	80	TCP
2025-02-24T16:42:54.434059+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.96.1	80	TCP
2025-02-24T16:42:56.393156+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.96.1	80	TCP
2025-02-24T16:42:58.430719+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.96.1	80	TCP
2025-02-24T16:43:00.442267+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.96.1	80	TCP
2025-02-24T16:43:02.408181+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.96.1	80	TCP
2025-02-24T16:43:04.417660+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.96.1	80	TCP
2025-02-24T16:43:06.370318+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.96.1	80	TCP
2025-02-24T16:43:08.282460+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49791	104.21.96.1	80	TCP
2025-02-24T16:43:10.237352+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.96.1	80	TCP
2025-02-24T16:43:12.224448+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.96.1	80	TCP
2025-02-24T16:43:14.147703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49832	104.21.96.1	80	TCP
2025-02-24T16:43:16.034148+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49844	104.21.96.1	80	TCP
2025-02-24T16:43:18.043130+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49855	104.21.96.1	80	TCP
2025-02-24T16:43:20.229798+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49871	104.21.96.1	80	TCP
2025-02-24T16:43:22.143649+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49882	104.21.96.1	80	TCP
2025-02-24T16:43:24.083051+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49896	104.21.96.1	80	TCP
2025-02-24T16:43:26.071116+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49909	104.21.96.1	80	TCP
2025-02-24T16:43:28.013014+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49923	104.21.96.1	80	TCP
2025-02-24T16:43:29.929566+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49935	104.21.96.1	80	TCP
2025-02-24T16:43:31.862819+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.96.1	80	TCP
2025-02-24T16:43:34.844913+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49968	104.21.96.1	80	TCP
2025-02-24T16:43:36.792593+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.96.1	80	TCP
2025-02-24T16:43:38.853411+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49998	104.21.96.1	80	TCP
2025-02-24T16:43:40.822823+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50009	104.21.96.1	80	TCP
2025-02-24T16:43:42.754297+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50024	104.21.96.1	80	TCP
2025-02-24T16:43:44.741083+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50036	104.21.96.1	80	TCP
2025-02-24T16:43:46.721609+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50050	104.21.96.1	80	TCP
2025-02-24T16:43:48.718252+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.96.1	80	TCP
2025-02-24T16:43:50.697045+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.96.1	80	TCP
2025-02-24T16:43:52.602845+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.96.1	80	TCP
2025-02-24T16:43:54.550119+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.96.1	80	TCP
2025-02-24T16:43:56.490788+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.96.1	80	TCP
2025-02-24T16:43:58.502924+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.96.1	80	TCP
2025-02-24T16:44:00.705696+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.96.1	80	TCP
2025-02-24T16:44:02.658162+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.96.1	80	TCP
2025-02-24T16:44:04.721825+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.96.1	80	TCP
2025-02-24T16:44:06.875861+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50069	104.21.96.1	80	TCP
2025-02-24T16:44:08.819530+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50070	104.21.96.1	80	TCP
2025-02-24T16:44:10.869763+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50071	104.21.96.1	80	TCP
2025-02-24T16:44:13.220656+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50072	104.21.96.1	80	TCP
2025-02-24T16:44:15.178259+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50073	104.21.96.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:26.807387+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49741	TCP
2025-02-24T16:42:30.739249+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49748	TCP
2025-02-24T16:42:32.766193+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49749	TCP
2025-02-24T16:42:36.608531+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49751	TCP
2025-02-24T16:42:38.596281+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49752	TCP
2025-02-24T16:42:42.532452+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49754	TCP
2025-02-24T16:42:48.401388+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49759	TCP
2025-02-24T16:42:53.254033+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49762	TCP
2025-02-24T16:42:59.258346+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49769	TCP
2025-02-24T16:43:01.211110+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49770	TCP
2025-02-24T16:43:05.215190+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49772	TCP
2025-02-24T16:43:11.059743+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49807	TCP
2025-02-24T16:43:16.698562+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49844	TCP
2025-02-24T16:43:18.842029+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49855	TCP
2025-02-24T16:43:22.921456+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49882	TCP
2025-02-24T16:43:24.882050+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49896	TCP
2025-02-24T16:43:26.844435+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	49909	TCP
2025-02-24T16:43:43.512068+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50024	TCP
2025-02-24T16:43:45.530321+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50036	TCP
2025-02-24T16:43:47.556406+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50050	TCP
2025-02-24T16:43:49.492741+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50060	TCP
2025-02-24T16:43:51.363800+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50061	TCP
2025-02-24T16:43:53.383187+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50062	TCP
2025-02-24T16:43:55.335438+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50063	TCP
2025-02-24T16:43:57.356096+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50064	TCP
2025-02-24T16:43:59.553755+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50065	TCP
2025-02-24T16:44:01.514243+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50066	TCP
2025-02-24T16:44:05.539584+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50068	TCP
2025-02-24T16:44:07.648781+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50069	TCP
2025-02-24T16:44:09.667720+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50070	TCP
2025-02-24T16:44:11.626248+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50071	TCP
2025-02-24T16:44:14.012147+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50072	TCP
2025-02-24T16:44:15.962577+0100	2025483	1	A Network Trojan was detected	104.21.96.1	80	192.168.2.4	50073	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:26.802283+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.96.1	80	TCP
2025-02-24T16:42:28.716016+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.96.1	80	TCP
2025-02-24T16:42:30.733802+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.96.1	80	TCP
2025-02-24T16:42:32.758575+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.96.1	80	TCP
2025-02-24T16:42:34.664153+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.96.1	80	TCP
2025-02-24T16:42:36.602909+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.96.1	80	TCP
2025-02-24T16:42:38.584990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.96.1	80	TCP
2025-02-24T16:42:40.542896+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.96.1	80	TCP
2025-02-24T16:42:42.527364+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.96.1	80	TCP
2025-02-24T16:42:44.484949+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.96.1	80	TCP
2025-02-24T16:42:46.430191+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.96.1	80	TCP
2025-02-24T16:42:48.396337+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.96.1	80	TCP
2025-02-24T16:42:51.334759+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.96.1	80	TCP
2025-02-24T16:42:53.248944+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.96.1	80	TCP
2025-02-24T16:42:55.178008+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.96.1	80	TCP
2025-02-24T16:42:57.127649+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.96.1	80	TCP
2025-02-24T16:42:59.253100+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.96.1	80	TCP
2025-02-24T16:43:01.204528+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.96.1	80	TCP
2025-02-24T16:43:03.183799+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.96.1	80	TCP
2025-02-24T16:43:05.210205+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.96.1	80	TCP
2025-02-24T16:43:07.121146+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.96.1	80	TCP
2025-02-24T16:43:09.018113+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49791	104.21.96.1	80	TCP
2025-02-24T16:43:11.054709+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.96.1	80	TCP
2025-02-24T16:43:12.991128+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.96.1	80	TCP
2025-02-24T16:43:14.871269+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49832	104.21.96.1	80	TCP
2025-02-24T16:43:16.681119+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49844	104.21.96.1	80	TCP
2025-02-24T16:43:18.836975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49855	104.21.96.1	80	TCP
2025-02-24T16:43:20.979291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49871	104.21.96.1	80	TCP
2025-02-24T16:43:22.916446+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49882	104.21.96.1	80	TCP
2025-02-24T16:43:24.876074+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49896	104.21.96.1	80	TCP
2025-02-24T16:43:26.839454+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49909	104.21.96.1	80	TCP
2025-02-24T16:43:28.751724+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49923	104.21.96.1	80	TCP
2025-02-24T16:43:30.697844+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49935	104.21.96.1	80	TCP
2025-02-24T16:43:33.606649+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.96.1	80	TCP
2025-02-24T16:43:35.618666+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49968	104.21.96.1	80	TCP
2025-02-24T16:43:37.556434+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.96.1	80	TCP
2025-02-24T16:43:39.625924+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49998	104.21.96.1	80	TCP
2025-02-24T16:43:41.598197+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50009	104.21.96.1	80	TCP
2025-02-24T16:43:43.504429+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50024	104.21.96.1	80	TCP
2025-02-24T16:43:45.525135+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50036	104.21.96.1	80	TCP
2025-02-24T16:43:47.551295+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50050	104.21.96.1	80	TCP
2025-02-24T16:43:49.487561+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.96.1	80	TCP
2025-02-24T16:43:51.358743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.96.1	80	TCP
2025-02-24T16:43:53.378060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.96.1	80	TCP
2025-02-24T16:43:55.330379+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.96.1	80	TCP
2025-02-24T16:43:57.351079+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.96.1	80	TCP
2025-02-24T16:43:59.548678+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.96.1	80	TCP
2025-02-24T16:44:01.508072+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.96.1	80	TCP
2025-02-24T16:44:03.403674+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.96.1	80	TCP
2025-02-24T16:44:05.534512+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.96.1	80	TCP
2025-02-24T16:44:07.643653+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50069	104.21.96.1	80	TCP
2025-02-24T16:44:09.637999+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50070	104.21.96.1	80	TCP
2025-02-24T16:44:11.620521+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50071	104.21.96.1	80	TCP
2025-02-24T16:44:14.006528+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50072	104.21.96.1	80	TCP
2025-02-24T16:44:15.957442+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50073	104.21.96.1	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:26.802283+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.96.1	80	TCP
2025-02-24T16:42:28.716016+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.96.1	80	TCP
2025-02-24T16:42:30.733802+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.96.1	80	TCP
2025-02-24T16:42:32.758575+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.96.1	80	TCP
2025-02-24T16:42:34.664153+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.96.1	80	TCP
2025-02-24T16:42:36.602909+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.96.1	80	TCP
2025-02-24T16:42:38.584990+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.96.1	80	TCP
2025-02-24T16:42:40.542896+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.96.1	80	TCP
2025-02-24T16:42:42.527364+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.96.1	80	TCP
2025-02-24T16:42:44.484949+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.96.1	80	TCP
2025-02-24T16:42:46.430191+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.96.1	80	TCP
2025-02-24T16:42:48.396337+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.96.1	80	TCP
2025-02-24T16:42:51.334759+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.96.1	80	TCP
2025-02-24T16:42:53.248944+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.96.1	80	TCP
2025-02-24T16:42:55.178008+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.96.1	80	TCP
2025-02-24T16:42:57.127649+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.96.1	80	TCP
2025-02-24T16:42:59.253100+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.96.1	80	TCP
2025-02-24T16:43:01.204528+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.96.1	80	TCP
2025-02-24T16:43:03.183799+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.96.1	80	TCP
2025-02-24T16:43:05.210205+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.96.1	80	TCP
2025-02-24T16:43:07.121146+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.96.1	80	TCP
2025-02-24T16:43:09.018113+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49791	104.21.96.1	80	TCP
2025-02-24T16:43:11.054709+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.96.1	80	TCP
2025-02-24T16:43:12.991128+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.96.1	80	TCP
2025-02-24T16:43:14.871269+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49832	104.21.96.1	80	TCP
2025-02-24T16:43:16.681119+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49844	104.21.96.1	80	TCP
2025-02-24T16:43:18.836975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49855	104.21.96.1	80	TCP
2025-02-24T16:43:20.979291+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49871	104.21.96.1	80	TCP
2025-02-24T16:43:22.916446+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49882	104.21.96.1	80	TCP
2025-02-24T16:43:24.876074+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49896	104.21.96.1	80	TCP
2025-02-24T16:43:26.839454+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49909	104.21.96.1	80	TCP
2025-02-24T16:43:28.751724+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49923	104.21.96.1	80	TCP
2025-02-24T16:43:30.697844+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49935	104.21.96.1	80	TCP
2025-02-24T16:43:33.606649+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.96.1	80	TCP
2025-02-24T16:43:35.618666+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49968	104.21.96.1	80	TCP
2025-02-24T16:43:37.556434+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.96.1	80	TCP
2025-02-24T16:43:39.625924+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49998	104.21.96.1	80	TCP
2025-02-24T16:43:41.598197+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50009	104.21.96.1	80	TCP
2025-02-24T16:43:43.504429+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50024	104.21.96.1	80	TCP
2025-02-24T16:43:45.525135+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50036	104.21.96.1	80	TCP
2025-02-24T16:43:47.551295+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50050	104.21.96.1	80	TCP
2025-02-24T16:43:49.487561+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.96.1	80	TCP
2025-02-24T16:43:51.358743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.96.1	80	TCP
2025-02-24T16:43:53.378060+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.96.1	80	TCP
2025-02-24T16:43:55.330379+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.96.1	80	TCP
2025-02-24T16:43:57.351079+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.96.1	80	TCP
2025-02-24T16:43:59.548678+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.96.1	80	TCP
2025-02-24T16:44:01.508072+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.96.1	80	TCP
2025-02-24T16:44:03.403674+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.96.1	80	TCP
2025-02-24T16:44:05.534512+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.96.1	80	TCP
2025-02-24T16:44:07.643653+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50069	104.21.96.1	80	TCP
2025-02-24T16:44:09.637999+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50070	104.21.96.1	80	TCP
2025-02-24T16:44:11.620521+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50071	104.21.96.1	80	TCP
2025-02-24T16:44:14.006528+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50072	104.21.96.1	80	TCP
2025-02-24T16:44:15.957442+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50073	104.21.96.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:23.092975+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	104.21.96.1	80	TCP
2025-02-24T16:42:25.097025+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49739	104.21.96.1	80	TCP
2025-02-24T16:42:25.979331+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	104.21.96.1	80	TCP
2025-02-24T16:42:27.987839+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49746	104.21.96.1	80	TCP
2025-02-24T16:42:29.896862+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	104.21.96.1	80	TCP
2025-02-24T16:42:31.897018+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	104.21.96.1	80	TCP
2025-02-24T16:42:33.913970+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	104.21.96.1	80	TCP
2025-02-24T16:42:35.838809+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	104.21.96.1	80	TCP
2025-02-24T16:42:37.783674+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	104.21.96.1	80	TCP
2025-02-24T16:42:39.794187+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	104.21.96.1	80	TCP
2025-02-24T16:42:41.723340+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	104.21.96.1	80	TCP
2025-02-24T16:42:43.712441+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	104.21.96.1	80	TCP
2025-02-24T16:42:45.644995+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	104.21.96.1	80	TCP
2025-02-24T16:42:47.597053+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	104.21.96.1	80	TCP
2025-02-24T16:42:49.573091+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	104.21.96.1	80	TCP
2025-02-24T16:42:52.489924+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	104.21.96.1	80	TCP
2025-02-24T16:42:54.434059+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49765	104.21.96.1	80	TCP
2025-02-24T16:42:56.393156+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49767	104.21.96.1	80	TCP
2025-02-24T16:42:58.430719+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49769	104.21.96.1	80	TCP
2025-02-24T16:43:00.442267+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49770	104.21.96.1	80	TCP
2025-02-24T16:43:02.408181+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49771	104.21.96.1	80	TCP
2025-02-24T16:43:04.417660+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49772	104.21.96.1	80	TCP
2025-02-24T16:43:06.370318+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49780	104.21.96.1	80	TCP
2025-02-24T16:43:08.282460+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49791	104.21.96.1	80	TCP
2025-02-24T16:43:10.237352+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49807	104.21.96.1	80	TCP
2025-02-24T16:43:12.224448+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49818	104.21.96.1	80	TCP
2025-02-24T16:43:14.147703+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49832	104.21.96.1	80	TCP
2025-02-24T16:43:16.034148+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49844	104.21.96.1	80	TCP
2025-02-24T16:43:18.043130+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49855	104.21.96.1	80	TCP
2025-02-24T16:43:20.229798+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49871	104.21.96.1	80	TCP
2025-02-24T16:43:22.143649+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49882	104.21.96.1	80	TCP
2025-02-24T16:43:24.083051+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49896	104.21.96.1	80	TCP
2025-02-24T16:43:26.071116+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49909	104.21.96.1	80	TCP
2025-02-24T16:43:28.013014+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49923	104.21.96.1	80	TCP
2025-02-24T16:43:29.929566+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49935	104.21.96.1	80	TCP
2025-02-24T16:43:31.862819+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49950	104.21.96.1	80	TCP
2025-02-24T16:43:34.844913+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49968	104.21.96.1	80	TCP
2025-02-24T16:43:36.792593+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49982	104.21.96.1	80	TCP
2025-02-24T16:43:38.853411+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49998	104.21.96.1	80	TCP
2025-02-24T16:43:40.822823+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50009	104.21.96.1	80	TCP
2025-02-24T16:43:42.754297+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50024	104.21.96.1	80	TCP
2025-02-24T16:43:44.741083+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50036	104.21.96.1	80	TCP
2025-02-24T16:43:46.721609+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50050	104.21.96.1	80	TCP
2025-02-24T16:43:48.718252+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50060	104.21.96.1	80	TCP
2025-02-24T16:43:50.697045+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50061	104.21.96.1	80	TCP
2025-02-24T16:43:52.602845+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50062	104.21.96.1	80	TCP
2025-02-24T16:43:54.550119+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50063	104.21.96.1	80	TCP
2025-02-24T16:43:56.490788+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50064	104.21.96.1	80	TCP
2025-02-24T16:43:58.502924+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50065	104.21.96.1	80	TCP
2025-02-24T16:44:00.705696+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50066	104.21.96.1	80	TCP
2025-02-24T16:44:02.658162+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50067	104.21.96.1	80	TCP
2025-02-24T16:44:04.721825+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50068	104.21.96.1	80	TCP
2025-02-24T16:44:06.875861+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50069	104.21.96.1	80	TCP
2025-02-24T16:44:08.819530+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50070	104.21.96.1	80	TCP
2025-02-24T16:44:10.869763+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50071	104.21.96.1	80	TCP
2025-02-24T16:44:13.220656+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50072	104.21.96.1	80	TCP
2025-02-24T16:44:15.178259+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50073	104.21.96.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-24T16:42:23.092975+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.96.1	80	TCP
2025-02-24T16:42:25.097025+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.96.1	80	TCP
2025-02-24T16:42:25.979331+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.96.1	80	TCP
2025-02-24T16:42:27.987839+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49746	104.21.96.1	80	TCP
2025-02-24T16:42:29.896862+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	104.21.96.1	80	TCP
2025-02-24T16:42:31.897018+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	104.21.96.1	80	TCP
2025-02-24T16:42:33.913970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.96.1	80	TCP
2025-02-24T16:42:35.838809+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	104.21.96.1	80	TCP
2025-02-24T16:42:37.783674+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	104.21.96.1	80	TCP
2025-02-24T16:42:39.794187+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	104.21.96.1	80	TCP
2025-02-24T16:42:41.723340+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	104.21.96.1	80	TCP
2025-02-24T16:42:43.712441+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	104.21.96.1	80	TCP
2025-02-24T16:42:45.644995+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	104.21.96.1	80	TCP
2025-02-24T16:42:47.597053+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	104.21.96.1	80	TCP
2025-02-24T16:42:49.573091+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	104.21.96.1	80	TCP
2025-02-24T16:42:52.489924+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	104.21.96.1	80	TCP
2025-02-24T16:42:54.434059+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49765	104.21.96.1	80	TCP
2025-02-24T16:42:56.393156+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49767	104.21.96.1	80	TCP
2025-02-24T16:42:58.430719+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49769	104.21.96.1	80	TCP
2025-02-24T16:43:00.442267+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49770	104.21.96.1	80	TCP
2025-02-24T16:43:02.408181+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49771	104.21.96.1	80	TCP
2025-02-24T16:43:04.417660+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49772	104.21.96.1	80	TCP
2025-02-24T16:43:06.370318+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49780	104.21.96.1	80	TCP
2025-02-24T16:43:08.282460+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49791	104.21.96.1	80	TCP
2025-02-24T16:43:10.237352+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49807	104.21.96.1	80	TCP
2025-02-24T16:43:12.224448+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49818	104.21.96.1	80	TCP
2025-02-24T16:43:14.147703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49832	104.21.96.1	80	TCP
2025-02-24T16:43:16.034148+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49844	104.21.96.1	80	TCP
2025-02-24T16:43:18.043130+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49855	104.21.96.1	80	TCP
2025-02-24T16:43:20.229798+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49871	104.21.96.1	80	TCP
2025-02-24T16:43:22.143649+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49882	104.21.96.1	80	TCP
2025-02-24T16:43:24.083051+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49896	104.21.96.1	80	TCP
2025-02-24T16:43:26.071116+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49909	104.21.96.1	80	TCP
2025-02-24T16:43:28.013014+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49923	104.21.96.1	80	TCP
2025-02-24T16:43:29.929566+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49935	104.21.96.1	80	TCP
2025-02-24T16:43:31.862819+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49950	104.21.96.1	80	TCP
2025-02-24T16:43:34.844913+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49968	104.21.96.1	80	TCP
2025-02-24T16:43:36.792593+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49982	104.21.96.1	80	TCP
2025-02-24T16:43:38.853411+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49998	104.21.96.1	80	TCP
2025-02-24T16:43:40.822823+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50009	104.21.96.1	80	TCP
2025-02-24T16:43:42.754297+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50024	104.21.96.1	80	TCP
2025-02-24T16:43:44.741083+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50036	104.21.96.1	80	TCP
2025-02-24T16:43:46.721609+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50050	104.21.96.1	80	TCP
2025-02-24T16:43:48.718252+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50060	104.21.96.1	80	TCP
2025-02-24T16:43:50.697045+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50061	104.21.96.1	80	TCP
2025-02-24T16:43:52.602845+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50062	104.21.96.1	80	TCP
2025-02-24T16:43:54.550119+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50063	104.21.96.1	80	TCP
2025-02-24T16:43:56.490788+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50064	104.21.96.1	80	TCP
2025-02-24T16:43:58.502924+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50065	104.21.96.1	80	TCP
2025-02-24T16:44:00.705696+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50066	104.21.96.1	80	TCP
2025-02-24T16:44:02.658162+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50067	104.21.96.1	80	TCP
2025-02-24T16:44:04.721825+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50068	104.21.96.1	80	TCP
2025-02-24T16:44:06.875861+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50069	104.21.96.1	80	TCP
2025-02-24T16:44:08.819530+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50070	104.21.96.1	80	TCP
2025-02-24T16:44:10.869763+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50071	104.21.96.1	80	TCP
2025-02-24T16:44:13.220656+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50072	104.21.96.1	80	TCP
2025-02-24T16:44:15.178259+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50073	104.21.96.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://touxzw.ir/sss2/five/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: OEoRzjI7JgSiUUd.exe	ReversingLabs: Detection: 57%
Source: OEoRzjI7JgSiUUd.exe	Virustotal: Detection: 51%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: OEoRzjI7JgSiUUd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OEoRzjI7JgSiUUd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb0 source: WERD69.tmp.dmp.31.dr
Source:	Binary string: RegSvcs.pdb, source: VKLIKWXJXPZTHN.exe, 00000012.00000000.1825699862.0000000000F62000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.8.dr
Source:	Binary string: System.pdb-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000710E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr
Source:	Binary string: RegSvcs.pdb source: VKLIKWXJXPZTHN.exe, 00000012.00000000.1825699862.0000000000F62000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.8.dr
Source:	Binary string: System.Configuration.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: PwJ.pdbSHA256 source: RegSvcs.exe, 00000008.00000002.1831939145.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yteYLhteU.exe, 00000009.00000002.1884006182.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Xml.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C3000.00000004.00000020.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: mscorlib.pdbh source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Drawing.pdbH source: WERD69.tmp.dmp.31.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Core.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000018.00000002.2203064554.0000000000F37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb;5 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000018.00000002.2203181115.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: PwJ.pdb source: RegSvcs.exe, 00000008.00000002.1831939145.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yteYLhteU.exe, 00000009.00000002.1884006182.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb> source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB1w source: RegSvcs.exe, 00000018.00000002.2224179550.000000000710E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbS5 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Configuration.pdbP source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: Microsoft.VisualBasic.pdb`3 source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

17_2_00403D74

Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe

Code function: 4x nop then jmp 073EF14Dh

9_2_073EE91C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49739 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49748 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49738 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49755 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49758 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49752 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49750 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49762 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49746 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49753 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49780 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49765 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49807 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49807 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49772 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49760 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49765 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49772 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49751 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49791 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49765 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49759 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49855 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49765 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49765 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49771 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49771 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49771 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49855 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49855 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49844 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49844 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49780 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49871 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49780 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49871 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49807 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49772 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49855 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49771 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49771 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49807 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49855 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49772 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49772 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49882 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49807 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49882 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49882 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49780 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49780 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49871 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49882 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49882 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49871 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49871 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49769 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49855
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49770 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49882
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49770 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49770 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49767 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49818 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49896 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49896 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49896 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49767 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49769
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49896 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49896 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49770 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49844 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49772
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49767 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49807
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49770 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49767 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49767 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49896
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49844 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49844 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49950 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49749 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49950 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49950 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49950 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49770
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49923 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49923 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49923 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49935 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49935 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49935 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49935 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49935 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49923 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49923 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49968 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49968 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49968 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49950 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49832 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49832 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49832 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49968 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49968 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49832 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49832 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49741 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49909 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49909 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49909 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49909 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49909 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49998 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49998 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50050 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49982 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50050 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50050 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49998 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49982 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49909
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49982 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50009 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49998 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49998 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49982 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49982 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50062 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50062 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50062 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50065 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50065 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50065 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50062 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50067 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50062 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50067 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50067 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50065 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50065 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50067 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50067 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50064 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50064 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50064 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50036 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50024 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50071 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50071 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50071 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50071 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50064 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50064 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50069 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50069 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50069 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50069 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50069 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50050 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50050 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50060 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50060 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50060 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50071 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50024
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50060 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50061 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50060 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50061 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50061 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50061 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50061 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50065
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50069
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50062
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50063 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50063 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50063 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50063 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50063 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50073 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50071
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50061
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50060
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50070 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50070 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50070 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50070 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50070 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50064
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50050
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50063
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:49844
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50066 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50066 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50066 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50068 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50068 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50068 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50066 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50068 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50066 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50068 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50036
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50073 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50073 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50073 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50073 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50070
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50068
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50066
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50072 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50072 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50072 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50072 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50072 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50073
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.96.1:80 -> 192.168.2.4:50072

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_00404ED4 recv,

17_2_00404ED4

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuQ1tdiSidZRcvROA7EM8ERw1JkJb%2BSPH6rIHo6dH%2Bex93UcEuFd6VUfIFT2Gvt4bHdFfcyD2ClEk%2Bp3VE2uEwHVM%2BLeoUpEmyUbv7IXlldW0AZaIzMRrdoTBEs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917090c6d86d0fa9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hc4BGxzbP7%2FXmV2qiQT%2Fj4%2Bl0f1sTBGGtqUd8AHeLcQtZYviTvuVpfM8mapsw5cs8lEVMR7b3wXLwE6rIAxkZaKaY0oksFvhnuKpeJKgQkNYI26CFVTb5jCRKXI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917090df7d4e436f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1578&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F77ITdWqBO402dXuIWhXzlI08aGlZlGo6lU4%2F6%2FmBEXBgsNDgduUi6DRt4hTRyB45FSxm2zwYb12zK0%2Fse%2BoQjKDCu8axDmEcSx4KAhEOY92kIU7DOHV0zA7fsw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917090ec0a0c4367-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B4rOMtWj4R0g1YJ%2B3xYialwbv%2BgJUB9STHpRWt7OBOZ52abLSOMwJFWf4Eic0isQWYxGjN4EBwjKDNoxYy5ZRWBMEe24TflPBMy4kKiD9SWU0EoeA1UViqC5Td4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917091047a747c9c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=2042&rtt_var=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4LD56ZNGlILAVbX7nfO6U4vpCQPODzndyjKO9mxj6mavZwovFfCm69WyIeteCyariy5%2FR7HLRpE98db2iBWhqInUOAYasC5VxfzBewSbE3kyhJ2tljGmU1%2FsVP4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170911098c14216-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1914&rtt_var=957&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ksB%2FSLOrwyaK%2BRYR1ruEWV7H7zgliAG1ItrikimXKvs4dKOg2hY9EYzVPN4vOD6%2F0pt8FOfN3XGY0KEZum7RsTmcoOZag0EyVDeR4a65P1EaLKJcutt6iEXcG00%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917091295c744276-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1823&rtt_var=911&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=skYZNgb%2B8El%2FDoQa9HhMyOa2d74OjE0UjFFKRNg1Iro5uVxdlTWLYztYUV%2B1AQHm8VJc%2Fw6ayNhBrvLnT2FlYSQwUaDQuUUcAg7mhw2DOLOnajwvE0%2Fe71WUT%2BI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170914dff1cc33a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1674&min_rtt=1674&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eyYNXsq5kaZsXWsUWkZvwIxjonEYPnQLg9GisEhqWiYwnMOElD%2FW0qtxWgYwJhyfKcq8htV1ATrmvbGxK%2FjowRoovM3mKx%2FhKS1H4ucuxLirS3A0FynICWcmRKk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170916c8acb333c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1939&rtt_var=969&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:42:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pvxwe88a%2B7SbU8l3EihzqTujl6eZgh0X0pmXp%2Bf5Ym8U6ASlr748KG%2BBcz8nUGJwyBDHbDtY%2FefsCXuvsFfSKb2DUhoKZejqsk%2BZ2Ltmp95JhfiAJ17ABRP25OM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91709191bba14358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1633&rtt_var=816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Xj8n7Y0AEGRff6oD5JGiVzR7khrhKHijJQQW%2BeF0cVZXBXShw5oBBmKssCPU8xWrKGYM79JyMnCL614zCJlMIs1Tq2utG6sxtnMNA9aCU1n9Cy79evB1GEnOYk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170919e3bdc80cd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1714&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i09qjIh2D7i4cR6X5KR5617p6SHLSSWt5CYhAXB%2B1e4FKCYfoKzykDwXG02%2BrRKGhfaycIl451n0O3%2FKZb9yCNJjT5v%2B7aABcIlzbCDp2VtgHIqA558h%2BtUWpJ0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917091b72ab641df-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1785&rtt_var=892&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sZn90vvA%2F%2BJgifv%2Fe%2F8ywOGZzGqVQ02zjkZ9jWox8uZ%2FF0GJRxucRGyJnpKQOYyxG5HUVTQnZHE0QJvLxqxYHoKWYmidd1SGdF1UD43dKt01kcWqrLxLmkEqG%2BQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917091db79ab0f89-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1634&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gp73YIz0c%2FJCQFx7ro9lbsu9OdOa3eiEEnrXzinAOaFjo1DDlnwkckZ5sCydS%2BW61CwsE3bRXDo%2BHNIc7p%2Fj8VAJNrJL1v98A%2F5FUsRE2cPbWt04Xn34ZP%2FbXlM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917091ffb87a5e64-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2037&rtt_var=1018&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoyjIj35%2BJPVd9uUOe%2F2pf%2FKoVwxRe3Ko1JXfUqnpFIq3EpA7OmHJSRB2YaF4PqHo45tXROO0S%2F1mRJoi5av1LgszuM1WAXovyXTYwn4aZd2GHfo7RNzTo%2BmnIo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170920c4d8442d2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1754&rtt_var=877&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2F9gqv35Lqb%2FVudgGDnPGd8lAqppHCoMF3LkPyiInzS%2BtANkEY7gDpM7TvVAg23PxutR6mnWan%2BCL7l4wF9rb68zWETsytfbYkhAgYE6Svx4aArZrxLS9AI1Oj4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092260f510f69-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6103&min_rtt=6103&rtt_var=3051&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=31st%2FyBTsM3oLeACA4c2PvFc2KwIvydZt6m6tkFjce2BpVEBpBU5b1BmGLlH7Kvw42npiOvwiQImazuDF8wH18ar8Pd0%2FlY6yu2j8Aq50S%2FBrgmLOOW4G4tEtBk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092321b495e65-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2388&min_rtt=2388&rtt_var=1194&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qeACZ9cQUdl%2BnO07CXcuQtwTq3p%2BQ7bgjgnh%2B67G6UbyqrPglYepXTWyEQ6O7FUUJi74gjVLljJomLjexJ22alA5GwetcVeqe%2BUiPCuVUpK%2FDC%2BagC7SlL6voy0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170923e6fbb19cf-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1870&rtt_var=935&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aqMMELRneuB3XgeBbg85v87hU%2FL72a5RfI9VvFToSDvZfXCZY2grCf90%2BWBDL6KEgGkz%2Bydj3fK3Y9YM760%2BoEQBEzz4PLOBCEwdCsbPgRdCaLogkMsigl5YI70%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092a6ce0ff799-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1638&rtt_var=819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M0UNCZNrrp2aUf42v1X73kDUKxfuPaD%2FQTALsQdZPOrvgu9sEDiHfy4y3LlUKWQBNlQBgxaSNlESZA79vmwre2mwf0pad0lVUDgW0mm4BVeyaos40hj3KrGLx5o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092b328ec32c7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2070&min_rtt=2070&rtt_var=1035&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=147&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fq7u9R7nwhJGM6Jc29hOi894Uy%2FewcNb%2B0C%2B6FyFIlZ%2FIvAsMGHPk0oOR71YqoWp3Hmzehy%2Bbs2L3TPj%2FmnN8Tmjrg1kQ1EVAB%2FWl%2FR3POKRbUm7qhpxNrtWfZk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092bf989243ed-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1613&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZAts0xCJun5Yl%2Fc5kUqHPXZoLyafxExUXae7Ty1fjVC4Xu68f3xdFwtjQLLCWrIzo3yphdSxyhXFZtAePGqiu5j93PAxUWwuEoBQB%2FisBAxwCVSWnfeSXK0d%2B5Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092cc1cf08c8f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2030&rtt_var=1015&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kzjnw4MU3U4Oj4bEf3gB%2BBDTZK7EtOJbt7mUW2KskTuALdWdHWVg5jKUsZ99NdTGbfrxjI6N8UihDzw4W5%2FNhRqaQCuaj7dS27XdSfBScb57xbduN78OZ17lNDw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092d85d4f4285-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1763&rtt_var=881&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xF6dwJTSkfNrLT7H%2FPJbncme82TSONDPz917ZDmiFLAmsC%2BGbiJaN3FzSelTRlrvuN5Py1IA9zIdwPB2fu3I6C8uypV2BMvPhihOEa6ordHOxzWumRNYDPFPkAk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092e43cfa4374-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1778&rtt_var=889&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i3zGWkE6WX521t3ybomOuqaY3gIbUzTMqC7HOvL1n%2BBKz3SSlxbhXTLuxpFaci9P0DQTTvvevd1uMSXt1ke3s%2Boq0aTAmkexKKj0FOAla3ios6zaRl3acNfVUKw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092f069dd0f45-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1727&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKmy%2B9JtRu6%2BPWZfdUr3N3G8Kb5DOfHRw1RbD%2Bg7BpaS%2Bjt6S%2BNR0ORaZ3SjNADfUkgG6s3Lt3FksUBaxM3cub23hOkzpiVs0mC4tEzjMOcIMIEV8Yehit734nI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917092fc887242ac-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1853&rtt_var=926&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=orDsm2dVE91iaMNF1HaG2geKAG0cpD62uMWvUmTHEM69ju%2By5Bx9kn8AP5ZOiIEeFgIbum2amyWTH0DUZwEJKwGMYu3RlnSuvGpslmwXnyXG72YtiMT69bBFFOY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093094a937d20-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2033&min_rtt=2033&rtt_var=1016&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:43:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=orDsm2dVE91iaMNF1HaG2geKAG0cpD62uMWvUmTHEM69ju%2By5Bx9kn8AP5ZOiIEeFgIbum2amyWTH0DUZwEJKwGMYu3RlnSuvGpslmwXnyXG72YtiMT69bBFFOY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093094a937d20-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2033&min_rtt=2033&rtt_var=1016&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B71X2uRGcWmnb3U%2FOYlBSXoAr2BJyMbUy5%2Br6jBrOJHLBQDxJfFwyUE5s1OP6jCrqLCG6K1L97aSoMeriCr2TrohXh0%2BhPTF8k5PgrsqPZ%2FM%2FS2Z4VJqleXZkEQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91709316e88d42c3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1740&rtt_var=870&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HrK3NpI9y8xebOsAs4OKhrnYxQL5kX8DOubzeyEI0FG95ASPDdPK4Sr15LMekGgZDBHr2U2qTx1KstmBsoinYBA2MGORbG9O843mHFCtYEyfx7RqqfzKnK905JQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093302e1f43cd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2362&min_rtt=2362&rtt_var=1181&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vmgZZeZaQGQreQdUr30BYn35Xf4Fzo7l%2FL6Jawhkp6IgsNXCSsQEktONMecNo3KHz2B%2Fe8CcVyBhYmNbcB%2BRAnTZZ2EM5sEcXlRiPizIv6Qif0m%2Bp%2FCS8Lb2ZkQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9170933d7fc672ab-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6f5ayNYsKDFLfXNpinrgT%2FyhJ4%2FTRWUd%2B1rw%2Bzj%2BaP1oxl4xHmWdLPOLXTscg3YAN2IG%2BD6Q7lCkJx3thHMYpgkQqOoN6a97tDhSPo8WBgL1tFoU18tN2Z2qSKc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91709349af4a4390-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1632&rtt_var=816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8L%2FbTuFx8B15Vl1TjvzaOm1T8YMQbIo1%2BZDpLJU6AgWGNxU4MrUTjYs6AP4aRgfQ5qXGVRDa1bMGYSfYKW2TnCZjhsvuW2XfxNtmDupnlOytGeLPbnnRpXLS6c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093566940f791-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1625&rtt_var=812&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kpCRBSFR3m00cucooSDPgIrEUkw6LEXUJ%2BcX6PQMFI457Vyb%2FtU1UoCaP1M7EvzhBqf9GPn4hOUshnb%2Fzdx8p83RxGzsU2stvwvnxhJjnyluNU5%2B9gTHjxxBAXY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093651e210f68-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1636&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 15:44:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TB5zEGTfUUs1ZpCwGAKHFbvpOraEvttyvA16FjuabUxUegTRJ11ciNQM80wl%2B19XM6wPSCAFd05Zevz9B7BBiOv2FAzefnI1yJIgmvRzTUzIu1111xFFo8LDfRY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917093716ed97277-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1936&min_rtt=1936&rtt_var=968&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1778236336.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, yteYLhteU.exe, 00000009.00000002.1879325317.00000000032DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.2205293206.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegSvcs.exe, RegSvcs.exe, 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1787468713.0000000006AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://aip.baidubce.com
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://cloud.tencent.com/document/product/551/35017
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://cloud.tencent.com/document/product/866/35945
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/api/trans/sdk/picture
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/api/trans/vip/translate
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/product/113
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://github.com/NPCDW/WindowsFormsOCR
Source: OEoRzjI7JgSiUUd.exe, yteYLhteU.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7992, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4504, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E08380	0_2_00E08380
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E08370	0_2_00E08370
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D625B0	0_2_04D625B0
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D67D00	0_2_04D67D00
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D60040	0_2_04D60040
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D609F0	0_2_04D609F0
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D60A00	0_2_04D60A00
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D67CE0	0_2_04D67CE0
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E27867	0_2_04E27867
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E26AB4	0_2_04E26AB4
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E26AB8	0_2_04E26AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017FD6CC	8_2_017FD6CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAC130	8_2_05EAC130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAAA58	8_2_05EAAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAF5A0	8_2_05EAF5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAF590	8_2_05EAF590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAE640	8_2_05EAE640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAC120	8_2_05EAC120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAF2A8	8_2_05EAF2A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAF2B8	8_2_05EAF2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAAA48	8_2_05EAAA48
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_01818380	9_2_01818380
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_01818370	9_2_01818370
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_05747D00	9_2_05747D00
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_05740040	9_2_05740040
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_057409F0	9_2_057409F0
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_05740A00	9_2_05740A00
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_05747CE0	9_2_05747CE0
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073E6508	9_2_073E6508
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073EA778	9_2_073EA778
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073E65AB	9_2_073E65AB
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073E64F9	9_2_073E64F9
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073E94D8	9_2_073E94D8
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073E90A0	9_2_073E90A0
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073EABB0	9_2_073EABB0
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_073EB960	9_2_073EB960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0040549C	17_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_004029D4	17_2_004029D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_0140D6CC	24_2_0140D6CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAC120	24_2_08AAC120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAAA48	24_2_08AAAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAF2A8	24_2_08AAF2A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAF2B8	24_2_08AAF2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AA0B54	24_2_08AA0B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAF5A0	24_2_08AAF5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAF590	24_2_08AAF590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAE630	24_2_08AAE630

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe 2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1736

Source: OEoRzjI7JgSiUUd.exe

Static PE information: invalid certificate

Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1778236336.00000000028EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePwJ.exe: vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1775817488.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000000.1688593558.00000000004BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelPmw.exe: vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1789104382.00000000094A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1785388060.0000000005310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1788677776.0000000007133000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe, 00000000.00000002.1788677776.0000000007167000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelPmw.exe: vs OEoRzjI7JgSiUUd.exe
Source: OEoRzjI7JgSiUUd.exe	Binary or memory string: OriginalFilenamelPmw.exe: vs OEoRzjI7JgSiUUd.exe

Source: OEoRzjI7JgSiUUd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7992, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4504, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: OEoRzjI7JgSiUUd.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yteYLhteU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, knVK1B9YljLThomR34.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, knVK1B9YljLThomR34.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, knVK1B9YljLThomR34.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, knVK1B9YljLThomR34.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, lfXOvClHQEsmHwJc5l.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, lfXOvClHQEsmHwJc5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, VpHj5NPdmXJOXIqXUB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, VpHj5NPdmXJOXIqXUB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, VpHj5NPdmXJOXIqXUB.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@38/35@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

17_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

17_2_0040434D

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

File created: C:\Users\user\AppData\Roaming\yteYLhteU.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Mutant created: \Sessions\1\BaseNamedObjects\QTBYNnHLhZrxoSkuJoC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4504
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\CQYFcTqurOq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

File created: C:\Users\user\AppData\Local\Temp\tmpFF21.tmp

Jump to behavior

Source: OEoRzjI7JgSiUUd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OEoRzjI7JgSiUUd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OEoRzjI7JgSiUUd.exe	ReversingLabs: Detection: 57%
Source: OEoRzjI7JgSiUUd.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

File read: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yteYLhteU.exe C:\Users\user\AppData\Roaming\yteYLhteU.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp15A7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp3871.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1736
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp15A7.tmp"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp3871.tmp"

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: OEoRzjI7JgSiUUd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OEoRzjI7JgSiUUd.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: OEoRzjI7JgSiUUd.exe

Static file information: File size 1163784 > 1048576

Source: OEoRzjI7JgSiUUd.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117000

Source: OEoRzjI7JgSiUUd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: OEoRzjI7JgSiUUd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb0 source: WERD69.tmp.dmp.31.dr
Source:	Binary string: RegSvcs.pdb, source: VKLIKWXJXPZTHN.exe, 00000012.00000000.1825699862.0000000000F62000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.8.dr
Source:	Binary string: System.pdb-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000710E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr
Source:	Binary string: RegSvcs.pdb source: VKLIKWXJXPZTHN.exe, 00000012.00000000.1825699862.0000000000F62000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.8.dr
Source:	Binary string: System.Configuration.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: PwJ.pdbSHA256 source: RegSvcs.exe, 00000008.00000002.1831939145.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yteYLhteU.exe, 00000009.00000002.1884006182.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Xml.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C3000.00000004.00000020.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: mscorlib.pdbh source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Drawing.pdbH source: WERD69.tmp.dmp.31.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Core.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: %%.pdb source: RegSvcs.exe, 00000018.00000002.2203064554.0000000000F37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.00000000070C6000.00000004.00000020.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb;5 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000018.00000002.2203181115.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: PwJ.pdb source: RegSvcs.exe, 00000008.00000002.1831939145.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yteYLhteU.exe, 00000009.00000002.1884006182.00000000042EB000.00000004.00000800.00020000.00000000.sdmp, WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb> source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB1w source: RegSvcs.exe, 00000018.00000002.2224179550.000000000710E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbS5 source: RegSvcs.exe, 00000018.00000002.2224179550.000000000712C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Configuration.pdbP source: WERD69.tmp.dmp.31.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000018.00000002.2224179550.000000000713F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERD69.tmp.dmp.31.dr
Source:	Binary string: Microsoft.VisualBasic.pdb`3 source: WERD69.tmp.dmp.31.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD69.tmp.dmp.31.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: OEoRzjI7JgSiUUd.exe, MainForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: yteYLhteU.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.OEoRzjI7JgSiUUd.exe.5310000.2.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, VpHj5NPdmXJOXIqXUB.cs	.Net Code: oW2b2cjsT1 System.Reflection.Assembly.Load(byte[])
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	.Net Code: RVRZqj1kVOlGdFU5GvT System.Reflection.Assembly.Load(byte[])
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	.Net Code: RVRZqj1kVOlGdFU5GvT System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d49260.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f49990.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d63280.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f639b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4504, type: MEMORYSTR

Source: OEoRzjI7JgSiUUd.exe

Static PE information: 0xCF104B24 [Wed Jan 31 18:32:04 2080 UTC]

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E0B742 push ecx; iretd	0_2_00E0B936
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E0AAE8 push edx; iretd	0_2_00E0AB02
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E0BA3A push ecx; iretd	0_2_00E0BA3E
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_00E0BBB8 push edx; iretd	0_2_00E0BBBE
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04D66410 push esp; iretd	0_2_04D66411
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E28404 push ebp; iretd	0_2_04E28406
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E2785D push esi; iretd	0_2_04E27866
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E26AA6 push ebp; iretd	0_2_04E26AA7
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_04E26AAB push esi; iretd	0_2_04E26AB7
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Code function: 0_2_0CBE1CBF push dword ptr [edx+ebp*2-75h]; iretd	0_2_0CBE1CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAF451 pushad ; iretd	8_2_05EAF45D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EAA7E8 pushfd ; retf	8_2_05EAA7E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05EA9A68 push eax; ret	8_2_05EA9A69
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Code function: 9_2_0AB1140D push FFFFFF8Bh; iretd	9_2_0AB1140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_00402AC0 push eax; ret	17_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_00402AC0 push eax; ret	17_2_00402AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AA9A68 push eax; ret	24_2_08AA9A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AA9E01 push esp; ret	24_2_08AA9E0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 24_2_08AAA7E8 pushfd ; retf	24_2_08AAA7E9

Source: OEoRzjI7JgSiUUd.exe	Static PE information: section name: .text entropy: 7.837775805069583
Source: yteYLhteU.exe.0.dr	Static PE information: section name: .text entropy: 7.837775805069583

Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, YQ6JAqgmNIqG2nhURw.cs	High entropy of concatenated method names: 'VSAuGvrwkQ', 'USKuepgW7r', 'PDpugiMuWy', 'F41uFh6k3i', 'kIQuDsCdZ2', 'wfyuBAGmt1', 'ESAuXi4EuP', 'F8HuJUKIWJ', 'W1Yuf3e8vu', 'E3fuRFdX3x'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, cDn0Qo9HCQ30u6S4nu.cs	High entropy of concatenated method names: 'IyEoqIfSZi', 'KqEoVckubv', 'ToString', 'RxHoEaeI9F', 'yqXo0t2ZGd', 'Useon2oMAI', 'iWDoL6Kp42', 'VGuoAOrUJT', 'IxRo8OEQmS', 'dwdoPFhOR3'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, nroUmejDUDrkq3MyKv.cs	High entropy of concatenated method names: 'x3nsnElu4J', 'd7DsLHWZho', 'TVTsAAQDFK', 'icIs8DOSH4', 'NRssH4fDDB', 'wmHsPf1Hbw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, E63fPPYbahUofKDqlW4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DmQaH6iOVF', 'TuYas5sluR', 'gkvaZAAWyy', 'XROaaS9gsU', 'k1UawHgjax', 'Q7kaxu2jHZ', 'ziPak3k4bC'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, gf6RDVNi4qOeXcu5yK.cs	High entropy of concatenated method names: 'pFZ2JlsAA', 'iFkcC7sqk', 'XktOuqhC8', 'ArSQ9qMDN', 'yvbIS3rk8', 'SRI3tBBdN', 'xaUQ3YX9pZMtRMaJPp', 'hp2bITvbMkNHV24uHv', 'RG0CmSu64', 'bINsAYjsu'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, JlkgOR0cS0vaXLE6iv.cs	High entropy of concatenated method names: 'Dispose', 'darYylPf9J', 'aZuNDyJ8FM', 'oLU5HwkEMI', 'yhHYj8mZLA', 'cMuYzIs2LY', 'ProcessDialogKey', 'M95N1omWSO', 'aQFNYwLlbs', 'DEpNNVroUm'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, lfXOvClHQEsmHwJc5l.cs	High entropy of concatenated method names: 's9L0gHVKqd', 'mjq0F3ZACd', 'fI40muHVSh', 'vQh09cUp9x', 'zHs05llUnE', 'gow0WxOgqA', 'P8a0rcmqxJ', 'AYd0d71bY3', 'KWb0yPbOc8', 'Gw20jf0PMv'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, g9xk0PruVbarlPf9J4.cs	High entropy of concatenated method names: 'oN3HuXHJe1', 'wnnHop41Nc', 'F1ZHHrbeGj', 'T4OHZogP5H', 'TjBHwI4Tqb', 'J63HkHMt2T', 'Dispose', 'z1bCEPln8p', 'odVC0ckwBn', 'EICCnRhDAM'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, i1d4JGRG8Lqe19gjjY.cs	High entropy of concatenated method names: 'ESO8EK21Nh', 'Dig8ntvdMB', 'bvI8AE0cHt', 'w35AjNv22F', 'DK4AzuUWT7', 's8w81WaXNs', 'fGR8YQ1J4X', 'iSl8NGqkeU', 'I8C8hnnGLS', 'K2S8b1Am7e'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, xsUd4eIdplbqBZLpue.cs	High entropy of concatenated method names: 'skTncCrW54', 'U7enOUs6Mw', 'P1gnl8lGpu', 'N7YnIlarKh', 'rAjnuX5cpq', 'eEVniOOe2b', 'ngNnoH7kIv', 'CDBnCnrsBi', 'SrPnH4g8Wk', 'dx7ns4ZSfL'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, EphPaPbPeSPvCxi7O2.cs	High entropy of concatenated method names: 'iPqY8fXOvC', 'sQEYPsmHwJ', 'PdpYqlbqBZ', 'hpuYVeo1yy', 'KPwYuRnw0a', 'EpYYidLgEh', 'bLaiZQwmk1MVaUuyfS', 'pYjCvJabbex6sYyxIS', 'UeXZmqxm9VZtskLCsa', 'qULYYY7JI2'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, q1yy3630Xw3FSfPwRn.cs	High entropy of concatenated method names: 'Mm1LKaQdqN', 'QD9LQUm8NU', 'S1fnBiwNXO', 'pUFnXbOU68', 'i1JnJWPNxP', 'jxxnf9VSwQ', 'U1DnRZTjXm', 'wRdnvuyunk', 'd6jnTp619r', 'havnGyDIQV'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, VpHj5NPdmXJOXIqXUB.cs	High entropy of concatenated method names: 'fa1hp3x0Ka', 'VGZhE2Su2x', 'sVah004yhp', 'm0Vhn7W0b9', 'b6AhL4iP3Y', 'OeLhA5S7tI', 'SNdh8mtWOA', 'VfGhPyrKgg', 'cWwhSmxyq0', 'mjchqSOEPf'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, giQyjIW32yCpx7NLMf.cs	High entropy of concatenated method names: 'FfhodRU9Km', 'tgZojCt2gT', 'XxxC1wtieH', 'BG0CYlvVdg', 'h68otLElP0', 'PEeoek9NOk', 'tcJoMAhpJx', 'HIHog82OVs', 'HCjoFwyqtJ', 'rl7om7Gl78'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, UomWSOy1QFwLlbslEp.cs	High entropy of concatenated method names: 'YfUHUiw8Rh', 'DNtHDq82BM', 'fL2HBLEkBP', 'CIDHXSZqnw', 'oDkHJliaZr', 'SgGHfhwQxI', 'GkOHRfM8rl', 'ckOHvippLt', 'ftvHT4yZvo', 'fh6HGpJDxT'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, v0aIpYUdLgEhiEEx6K.cs	High entropy of concatenated method names: 'WVFApCenD1', 'kRRA0ng79P', 'ANiALmHc7u', 'J7JA88Icr8', 'yGFAPs52OZ', 'RvwL5GyCc1', 'CRyLWkv0kM', 'nh4LrwtQkP', 'Lm5Ldi9B04', 'ItcLyT0Dt6'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, gMa1VKYYoN8IGqPPpmT.cs	High entropy of concatenated method names: 'lQDsjFuNh3', 'HiTszkOMml', 'cEfZ1hBN95', 'pZeZYDkesx', 'G9oZNU5wrW', 'xrhZhc1TXn', 'eAWZbToTUR', 'hhnZpvBKvy', 'nTBZEWgQMU', 'NA9Z0Eb5EV'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, DIyLtRTqCndktNbFo4.cs	High entropy of concatenated method names: 'Q6k86vn5MQ', 'zuq84Qs4wg', 'gVb820OZWN', 'UCE8cCpwXo', 'CeR8KqLuSH', 'Wgd8OAbkIH', 'aOX8QJgsjj', 'tNd8lv67Xl', 'U9b8IjltHW', 'HWP83BUI1j'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, q0yU1UMvTKWO9XQqWq.cs	High entropy of concatenated method names: 'Qs17lXCKBF', 'UCL7I47sFe', 'bsV7UtLfeH', 'nf37D1c01d', 'VRn7XXLXhh', 'eA87JXkGNj', 'sbr7RDqiD6', 'Een7vjbkLt', 'jTC7GYhPRi', 'mQs7tXIm4A'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, iDwiaJzXI0bR3rs8E5.cs	High entropy of concatenated method names: 'AaHsOq70PG', 'eEkslN3TqM', 'knisIMdqrN', 'Pq7sU45vN5', 'ddGsDAF2OQ', 'UAMsXKDbpV', 'CFMsJE4wN1', 'IoDskL4RgU', 'Qgws6CBJmy', 'IM6s4wNQIU'
Source: 0.2.OEoRzjI7JgSiUUd.exe.94a0000.3.raw.unpack, zMan7bnQtLmUhL8JEn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UH4Ny4SnIZ', 'z4gNjXc8vO', 'K6INz0nwC2', 'T6Mh1p6rQV', 'cQChYVDrOf', 'B9OhNnBYvP', 'BXNhh9c79S', 'qqjn6IO8i6a8H51XKQg'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, fL29SX3JKWHa26kQt4.cs	High entropy of concatenated method names: 'UCVJtVmGwQ', 'ESFJS1F84p', 'KdFJaXVOKr', 'xjyJhfG7IW', 'bOWJjYBOjS', 'zIuaV0R73m', 'UA0aTOUJUb', 'CLqaOgFyT5', 'e5VaGW0PVE', 'ECxad3HjxV'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, JjEFwqeYA2pi2tdEA0.cs	High entropy of concatenated method names: 'ToString', 'pqP8I1c9u2', 'zpr8MxZI1y', 'EeT8Ws4VfA', 'DZX8HBkOhG', 'CsS8kCDwYB', 'Qs28ftF78A', 'AFw8l4Ek52', 'FHc84syD0F', 'yhi8sdZfGF'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, jEAEsIX7FVWtqw3VulQ.cs	High entropy of concatenated method names: 'Iu3KR9xGKV', 'amnKz8yLet', 'ttnFPRJROB', 'SCAYqvVXbBuSKeeZ650', 'z2y52RV5qHUTl2QPO9F', 'D8raFOVqZ9x06uijw4t', 'yqmBt5VIENdYsPiAyO3', 'QBFVXrVC2VgZdnCWtAH', 'EY8tvdVuMh6FgXM9SRL'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, yxTHqcXiMsidREFJDXo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GN8FgsQXjc', 'iT1Fudy2n2', 'lLiFKfYXEl', 'jYoFFUjEGG', 'U7SFUA7dj9', 'BVLFLSXHri', 'zrAFxw4s8M'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, vWjipLXXwBxLdlFDm7T.cs	High entropy of concatenated method names: 'N7MuRYaNZV', 'vV9uzFGSgx', 'LiMKPinQll', 'GDgKX6Lcoc', 'b8iKDoNxdo', 'exlK7adGrE', 'kuOKiK7lLi', 'cGPKtNkMYh', 'rKLKNLoJie', 'W7aKSwqmr6'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, SUETjriNPUEcYEYNbu.cs	High entropy of concatenated method names: 'w65XhnVK1B', 'PljXjLThom', 'o9rX6FCaOx', 'pI8XCTpX31', 'r7MXoHxNL2', 'DSXX8JKWHa', 'mybJSjqiT0rCyLqPxF', 'KlcsLTIC6wf5KLSrtu', 'v3xXXVTlTX', 'IYAX7F0cpj'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, iZjubMsri4FYc5EPn6.cs	High entropy of concatenated method names: 'cTmhpgmUfr', 'rkVhcCj5UO', 'OkghAMG4GB', 'u6ihwLyHF6', 'dlShbhagC3', 'bVyhQnxXYw', 'kmbhZwIQcX', 'Bmxh9KGFKf', 'Fv1hBYykqu', 'HNah0vOPgm'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, HusxbRmWv71Dtq2tGt.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uNuDdgNs6i', 'vg5DR3hGU0', 'SvADzWgoos', 'ALE7PITAE1', 'fk57XLTbiM', 'TMH7DOpGJk', 'pC477glI4x', 'StlaCG1Vs1qyuaSbNb3'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, ghl0EhORkcusfQSmXN.cs	High entropy of concatenated method names: 'oUkgoYxE6u', 'nDOgv7Vshn', 'VuoggeGwTO', 'ls0gKXxZRQ', 'GOigU2JI4e', 'esdgxdhMyf', 'Dispose', 'D3X1NxI21R', 'TSK1StUmhK', 'p8H1mkEsWl'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, uK1oMND5KJpQKt6Ax9.cs	High entropy of concatenated method names: 'DMaASj4Pg', 'bW0wnqDXV', 'WIPQ3ygRx', 'MlaZv8t11', 'vMNBBxaan', 'lUo0LQlB5', 'vER7hrFSNZld96yClY', 'sgn8jtbRiPIBqOtunO', 'auQ1p26lE', 'Ys1u1v9im'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, P7sQQuzbHRdTKJ62RV.cs	High entropy of concatenated method names: 'hGKuQvenV9', 'OG4u9UMdmX', 'PVIuBR3vHB', 'Dqou3g6fBU', 'YqxuMEn6pe', 'BahuHLEBTB', 'U3xukXgiud', 'atRuxXaEeJ', 'Wk7upgKBVo', 'ypEucrydfn'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, A4rTttd7J68yQ28HSI.cs	High entropy of concatenated method names: 'dAMg3RkU9O', 'nPNgMEfFWA', 'qKugWamcb6', 'l6CgHqPpZS', 'AOOgkphvpT', 'Cwfgfqyppm', 'flRgluEEsK', 'kJSg431JO3', 'ie0gsqWY8Q', 'xsfg2JxD9w'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, knVK1B9YljLThomR34.cs	High entropy of concatenated method names: 'cxISnwWWjW', 'oadSEbEOon', 't5CSeEERGC', 'R41SqhWarC', 'VHISVYEnEN', 'dSTSTdDAK1', 'HbSSOfEdDB', 'eu5SGenlWv', 'ibPSdPrpvK', 'icgSRDI61f'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, oP13NPREag6rAykIvN.cs	High entropy of concatenated method names: 'deQumEIX1B', 'N5rualrqtV', 'HKauJ73OyT', 'KyjuhCHeYY', 'jldug78syy', 'SBOujO5w69', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, I4OfpoB9rFCaOx8I8T.cs	High entropy of concatenated method names: 'NgemwPbx5m', 'UbZmQFUAPJ', 'OXrm9heuRd', 'shWmB4JD1y', 'OpemoVBEwA', 'wb8m83nmqA', 'jLOmvU2hsN', 'aXGm1Jxy2K', 'ipBmgkocX1', 'VokmuSwaSU'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, yX31wU0NkopCE17MHx.cs	High entropy of concatenated method names: 'Lseab4WpNP', 'duJaZ6Ygkv', 'AuCmW1Wu7v', 'dsUmHm9RHd', 'Rg3mklsWCV', 'IqkmfWHV57', 'K1CmlQ1Cts', 'LEpm4i4eeh', 'PdsmsDgRZa', 'bDhm2Y5O4E'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, FHc8UCrmBbRnJ5wDJj.cs	High entropy of concatenated method names: 'wBLy9duG9I', 'TxwyBNI8Nl', 'Lgyy3x2FPl', 'UmAyMXfx5L', 'TeayHNBqJb', 'U29ykoODch', 'LRDylqsJh2', 'fOry4SgeiT', 'FdJy2CMkIh', 'cxMyIFuj1Y'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, iC6v2PXPAevv2n20rB6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YjxuIkWLms', 'fVTuYEcIxS', 'Iyrur8GkAQ', 'FwjunDKmb2', 'IQwuEs8lKr', 'TyPueWwAVO', 'mROuqXes8u'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, vKC1b7TdVtLqMhoMnq.cs	High entropy of concatenated method names: 'EwovGLAE6F', 'Hk1vRdhFiN', 'qd31PMWlci', 'XmP1X9vU0V', 'IJnvIwUFgv', 'z6vvYhVBc2', 'LUTvr4qc7D', 'HStvn1t3pj', 'xVwvEZjUyv', 'FV5veh1Ox0'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, vmM98jS8xa4ivZYyUL.cs	High entropy of concatenated method names: 'Dispose', 'yusXdfQSmX', 'FyrDMikCv4', 'ynSbIsZtjG', 'fHCXRG5WF0', 'wfaXzlMeA5', 'ProcessDialogKey', 'CtwDP4rTtt', 'cJ6DX8yQ28', 'ISIDDoP13N'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	High entropy of concatenated method names: 'JBv7t720iS', 'y6r7NQ8xTj', 'VYW7SG3Ct6', 'LE07mhSWFy', 'v0H7aFtxT6', 'zk47JjI24j', 'WOw7hShCDU', 'WSN7jSpyXL', 'EH175OSY4B', 'aFm76SAFKZ'
Source: 8.2.RegSvcs.exe.4e27d40.5.raw.unpack, GxRMCtnKCqNFhrP4Jq.cs	High entropy of concatenated method names: 'ORro2ZRKPB', 'st3oYjmx0q', 'CXDonPJXiD', 'mIdoEb8FlV', 'bTCoMs7jJw', 'KHRoWrP0vu', 'M4GoH9NkQZ', 'm7PokDeFSC', 'wWiofFyKgP', 'C3DolwpUht'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, fL29SX3JKWHa26kQt4.cs	High entropy of concatenated method names: 'UCVJtVmGwQ', 'ESFJS1F84p', 'KdFJaXVOKr', 'xjyJhfG7IW', 'bOWJjYBOjS', 'zIuaV0R73m', 'UA0aTOUJUb', 'CLqaOgFyT5', 'e5VaGW0PVE', 'ECxad3HjxV'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, JjEFwqeYA2pi2tdEA0.cs	High entropy of concatenated method names: 'ToString', 'pqP8I1c9u2', 'zpr8MxZI1y', 'EeT8Ws4VfA', 'DZX8HBkOhG', 'CsS8kCDwYB', 'Qs28ftF78A', 'AFw8l4Ek52', 'FHc84syD0F', 'yhi8sdZfGF'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, jEAEsIX7FVWtqw3VulQ.cs	High entropy of concatenated method names: 'Iu3KR9xGKV', 'amnKz8yLet', 'ttnFPRJROB', 'SCAYqvVXbBuSKeeZ650', 'z2y52RV5qHUTl2QPO9F', 'D8raFOVqZ9x06uijw4t', 'yqmBt5VIENdYsPiAyO3', 'QBFVXrVC2VgZdnCWtAH', 'EY8tvdVuMh6FgXM9SRL'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, yxTHqcXiMsidREFJDXo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GN8FgsQXjc', 'iT1Fudy2n2', 'lLiFKfYXEl', 'jYoFFUjEGG', 'U7SFUA7dj9', 'BVLFLSXHri', 'zrAFxw4s8M'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, vWjipLXXwBxLdlFDm7T.cs	High entropy of concatenated method names: 'N7MuRYaNZV', 'vV9uzFGSgx', 'LiMKPinQll', 'GDgKX6Lcoc', 'b8iKDoNxdo', 'exlK7adGrE', 'kuOKiK7lLi', 'cGPKtNkMYh', 'rKLKNLoJie', 'W7aKSwqmr6'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, SUETjriNPUEcYEYNbu.cs	High entropy of concatenated method names: 'w65XhnVK1B', 'PljXjLThom', 'o9rX6FCaOx', 'pI8XCTpX31', 'r7MXoHxNL2', 'DSXX8JKWHa', 'mybJSjqiT0rCyLqPxF', 'KlcsLTIC6wf5KLSrtu', 'v3xXXVTlTX', 'IYAX7F0cpj'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, iZjubMsri4FYc5EPn6.cs	High entropy of concatenated method names: 'cTmhpgmUfr', 'rkVhcCj5UO', 'OkghAMG4GB', 'u6ihwLyHF6', 'dlShbhagC3', 'bVyhQnxXYw', 'kmbhZwIQcX', 'Bmxh9KGFKf', 'Fv1hBYykqu', 'HNah0vOPgm'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, HusxbRmWv71Dtq2tGt.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uNuDdgNs6i', 'vg5DR3hGU0', 'SvADzWgoos', 'ALE7PITAE1', 'fk57XLTbiM', 'TMH7DOpGJk', 'pC477glI4x', 'StlaCG1Vs1qyuaSbNb3'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, ghl0EhORkcusfQSmXN.cs	High entropy of concatenated method names: 'oUkgoYxE6u', 'nDOgv7Vshn', 'VuoggeGwTO', 'ls0gKXxZRQ', 'GOigU2JI4e', 'esdgxdhMyf', 'Dispose', 'D3X1NxI21R', 'TSK1StUmhK', 'p8H1mkEsWl'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, uK1oMND5KJpQKt6Ax9.cs	High entropy of concatenated method names: 'DMaASj4Pg', 'bW0wnqDXV', 'WIPQ3ygRx', 'MlaZv8t11', 'vMNBBxaan', 'lUo0LQlB5', 'vER7hrFSNZld96yClY', 'sgn8jtbRiPIBqOtunO', 'auQ1p26lE', 'Ys1u1v9im'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, P7sQQuzbHRdTKJ62RV.cs	High entropy of concatenated method names: 'hGKuQvenV9', 'OG4u9UMdmX', 'PVIuBR3vHB', 'Dqou3g6fBU', 'YqxuMEn6pe', 'BahuHLEBTB', 'U3xukXgiud', 'atRuxXaEeJ', 'Wk7upgKBVo', 'ypEucrydfn'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, A4rTttd7J68yQ28HSI.cs	High entropy of concatenated method names: 'dAMg3RkU9O', 'nPNgMEfFWA', 'qKugWamcb6', 'l6CgHqPpZS', 'AOOgkphvpT', 'Cwfgfqyppm', 'flRgluEEsK', 'kJSg431JO3', 'ie0gsqWY8Q', 'xsfg2JxD9w'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, knVK1B9YljLThomR34.cs	High entropy of concatenated method names: 'cxISnwWWjW', 'oadSEbEOon', 't5CSeEERGC', 'R41SqhWarC', 'VHISVYEnEN', 'dSTSTdDAK1', 'HbSSOfEdDB', 'eu5SGenlWv', 'ibPSdPrpvK', 'icgSRDI61f'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, oP13NPREag6rAykIvN.cs	High entropy of concatenated method names: 'deQumEIX1B', 'N5rualrqtV', 'HKauJ73OyT', 'KyjuhCHeYY', 'jldug78syy', 'SBOujO5w69', 'Next', 'Next', 'Next', 'NextBytes'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, I4OfpoB9rFCaOx8I8T.cs	High entropy of concatenated method names: 'NgemwPbx5m', 'UbZmQFUAPJ', 'OXrm9heuRd', 'shWmB4JD1y', 'OpemoVBEwA', 'wb8m83nmqA', 'jLOmvU2hsN', 'aXGm1Jxy2K', 'ipBmgkocX1', 'VokmuSwaSU'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, yX31wU0NkopCE17MHx.cs	High entropy of concatenated method names: 'Lseab4WpNP', 'duJaZ6Ygkv', 'AuCmW1Wu7v', 'dsUmHm9RHd', 'Rg3mklsWCV', 'IqkmfWHV57', 'K1CmlQ1Cts', 'LEpm4i4eeh', 'PdsmsDgRZa', 'bDhm2Y5O4E'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, FHc8UCrmBbRnJ5wDJj.cs	High entropy of concatenated method names: 'wBLy9duG9I', 'TxwyBNI8Nl', 'Lgyy3x2FPl', 'UmAyMXfx5L', 'TeayHNBqJb', 'U29ykoODch', 'LRDylqsJh2', 'fOry4SgeiT', 'FdJy2CMkIh', 'cxMyIFuj1Y'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, iC6v2PXPAevv2n20rB6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YjxuIkWLms', 'fVTuYEcIxS', 'Iyrur8GkAQ', 'FwjunDKmb2', 'IQwuEs8lKr', 'TyPueWwAVO', 'mROuqXes8u'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, vKC1b7TdVtLqMhoMnq.cs	High entropy of concatenated method names: 'EwovGLAE6F', 'Hk1vRdhFiN', 'qd31PMWlci', 'XmP1X9vU0V', 'IJnvIwUFgv', 'z6vvYhVBc2', 'LUTvr4qc7D', 'HStvn1t3pj', 'xVwvEZjUyv', 'FV5veh1Ox0'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, vmM98jS8xa4ivZYyUL.cs	High entropy of concatenated method names: 'Dispose', 'yusXdfQSmX', 'FyrDMikCv4', 'ynSbIsZtjG', 'fHCXRG5WF0', 'wfaXzlMeA5', 'ProcessDialogKey', 'CtwDP4rTtt', 'cJ6DX8yQ28', 'ISIDDoP13N'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, hcgnnAjGQ4KxqADGLY.cs	High entropy of concatenated method names: 'JBv7t720iS', 'y6r7NQ8xTj', 'VYW7SG3Ct6', 'LE07mhSWFy', 'v0H7aFtxT6', 'zk47JjI24j', 'WOw7hShCDU', 'WSN7jSpyXL', 'EH175OSY4B', 'aFm76SAFKZ'
Source: 8.2.RegSvcs.exe.4e86160.2.raw.unpack, GxRMCtnKCqNFhrP4Jq.cs	High entropy of concatenated method names: 'ORro2ZRKPB', 'st3oYjmx0q', 'CXDonPJXiD', 'mIdoEb8FlV', 'bTCoMs7jJw', 'KHRoWrP0vu', 'M4GoH9NkQZ', 'm7PokDeFSC', 'wWiofFyKgP', 'C3DolwpUht'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe			Jump to dropped file
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	File created: C:\Users\user\AppData\Roaming\yteYLhteU.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: OEoRzjI7JgSiUUd.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yteYLhteU.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4504, type: MEMORYSTR

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: 9680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: AA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Memory allocated: BA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 78A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 88A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 8A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory allocated: 9A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Memory allocated: 18F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Memory allocated: 52D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6347	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 373	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6545
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 435

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep count: 6347 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep count: 282 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 6545 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep count: 137 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe TID: 8128	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

17_2_00403D74

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Thread delayed: delay time: 922337203685477

Source: RegSvcs.exe, 00000008.00000002.1854170354.00000000075A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&
Source: RegSvcs.exe, 00000011.00000002.2956376552.0000000001328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_0040317B mov eax, dword ptr fs:[00000030h]

17_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 17_2_00402B7C GetProcessHeap,RtlAllocateHeap,

17_2_00402B7C

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 496000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 49A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CC5008	Jump to behavior

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yteYLhteU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmpFF21.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp15A7.tmp"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yteYLhteU" /XML "C:\Users\user\AppData\Local\Temp\tmp1FD8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp3871.tmp"

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Queries volume information: C:\Users\user\AppData\Roaming\yteYLhteU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yteYLhteU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Queries volume information: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\OEoRzjI7JgSiUUd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000011.00000002.2956376552.0000000001328000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: PopPassword		17_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: SmtpPassword		17_2_0040D069

Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d63280.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f49990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.4d49260.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.RegSvcs.exe.3f639b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2955828597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1847898439.0000000004D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2218781345.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1835371381.000000000350F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	4 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OEoRzjI7JgSiUUd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
OEoRzjI7JgSiUUd.exe