Analysis Report Conan Fegan - Aluminium.exe

Overview

General Information

Sample Name: Conan Fegan - Aluminium.exe
Analysis ID: 356211
MD5: 708ee64939578fbb07010e20f6c7672c
SHA1: 335dc9a9142b528848b8446be2afda844f6d673f
SHA256: f1a43d8b49bda3c88eb1c314c9460a92c0b467ea8db4c9086ac8e3bfe358e511
Tags: Loki

Most interesting Screenshot:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Lokibot
Yara detected Lokibot
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Conan Fegan - Aluminium.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://www.ritcophysiotherapy.com.au/wap121/five/fre.php"]}
Machine Learning detection for sample
Source: Conan Fegan - Aluminium.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Conan Fegan - Aluminium.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Conan Fegan - Aluminium.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_07A3DE28
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 4x nop then jmp 07A3C2B3h 0_2_07A3C1FF
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_07A3DF24

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49745 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49745 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49747 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49747 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49747 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49749 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49750 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49750 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49750 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49751 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49751 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49751 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49752 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49752 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49753 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49753 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49753 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49754 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49754 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49754 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49755 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49755 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49755 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49756 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49756 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49756 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49757 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49757 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49757 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49758 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49758 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49759 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49759 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49759 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49760 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49760 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49760 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49763 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49763 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49763 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49764 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49764 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49764 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49765 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49766 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49766 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49766 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49768 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49768 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49768 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49769 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49769 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49769 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49770 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49770 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49770 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49771 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49771 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49771 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49772 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49772 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49772 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49773 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49773 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49773 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49774 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49774 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49774 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49777 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49777 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49777 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49781 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49781 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49781 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49784 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49784 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49784 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49788 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49788 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49788 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49790 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49790 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49790 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49792 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49792 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49792 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49793 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49793 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49793 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49794 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49794 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49794 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49795 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49795 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49795 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49796 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49796 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49796 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49797 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49797 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49797 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49798 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49798 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49798 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49799 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49799 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49799 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49800 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49800 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49800 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49804 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49804 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49804 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49805 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49805 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49805 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49811 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49811 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49811 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49812 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49812 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49812 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49813 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49813 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49813 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49814 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49814 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49814 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49815 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49815 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49815 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49816 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49816 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49816 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49817 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49817 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49817 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49818 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49818 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49818 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49819 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49819 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49819 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49820 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49820 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49820 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49821 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49821 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49821 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49822 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49822 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49822 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49823 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49823 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49823 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49824 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49824 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49824 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49825 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49825 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49825 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49826 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49826 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49826 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49827 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49827 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49827 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49828 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49828 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49828 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49829 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49829 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49829 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49830 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49830 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49830 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49831 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49831 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49831 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49832 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49832 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49832 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49833 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49833 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49833 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49834 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49834 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49834 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49835 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49835 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49835 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49837 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49837 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49837 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49839 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49839 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49839 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49840 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49840 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49840 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49841 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49841 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49841 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49842 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49842 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49842 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49843 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49843 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49843 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49844 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49844 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49844 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49845 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49845 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49845 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49846 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49846 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49846 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49847 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49847 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49847 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49848 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49848 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49848 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49849 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49849 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49849 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49850 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49850 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49850 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49851 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49851 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49851 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49852 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49852 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49852 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49853 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49853 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49853 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49854 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49854 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49854 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49855 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49855 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49855 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49856 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49856 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49856 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49857 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49857 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49857 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49858 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49858 -> 203.170.84.89:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49858 -> 203.170.84.89:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs: https://www.ritcophysiotherapy.com.au/wap121/five/fre.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: global traffic HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 163Connection: close
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00404ED4 recv, 5_2_00404ED4
Source: unknown DNS traffic detected: queries for: www.ritcophysiotherapy.com.au
Source: unknown HTTP traffic detected: POST /wap121/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: www.ritcophysiotherapy.com.auAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AD291CEContent-Length: 190Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Feb 2021 18:13:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingX-Powered-By: PHP/7.2.34Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.638473832.0000000005B8D000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.650636211.0000000005B50000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.650636211.0000000005B50000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comionF
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.650636211.0000000005B50000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.commi
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.635133696.0000000005B6B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.635133696.0000000005B6B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comc
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636344129.0000000005B57000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636630818.0000000005B56000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636508473.0000000005B58000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/;
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636508473.0000000005B58000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn9
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636140982.0000000005B5E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnFk
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636508473.0000000005B58000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnO
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.636344129.0000000005B57000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cng
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.650636211.0000000005B50000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm-
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Conan Fegan - Aluminium.exe, Conan Fegan - Aluminium.exe, 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.634766145.0000000005B53000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000003.634766145.0000000005B53000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.652969440.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.900851249.000000000049F000.00000040.00000001.sdmp String found in binary or memory: https://www.ritcophysiotherapy.com.au/wap121/five/fre.php

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.651632346.0000000003D09000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: Conan Fegan - Aluminium.exe, frmlogin.cs Long String: Length: 13656
Source: 0.2.Conan Fegan - Aluminium.exe.960000.0.unpack, frmlogin.cs Long String: Length: 13656
Source: 0.0.Conan Fegan - Aluminium.exe.960000.0.unpack, frmlogin.cs Long String: Length: 13656
Source: 5.2.Conan Fegan - Aluminium.exe.c20000.1.unpack, frmlogin.cs Long String: Length: 13656
Source: 5.0.Conan Fegan - Aluminium.exe.c20000.0.unpack, frmlogin.cs Long String: Length: 13656
Detected potential crypto function
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_00969526 0_2_00969526
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_0096B3F4 0_2_0096B3F4
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_0096A47C 0_2_0096A47C
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A38DF8 0_2_07A38DF8
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A30040 0_2_07A30040
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A30D80 0_2_07A30D80
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A38DEA 0_2_07A38DEA
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A3C5FF 0_2_07A3C5FF
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A38417 0_2_07A38417
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A32BC7 0_2_07A32BC7
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A32BD8 0_2_07A32BD8
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A34190 0_2_07A34190
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_0040549C 5_2_0040549C
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_004029D4 5_2_004029D4
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00C2A47C 5_2_00C2A47C
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00C29526 5_2_00C29526
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00C2B3F4 5_2_00C2B3F4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: String function: 00405B6F appears 42 times
Sample file is different than original file name gathered from version info
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.654833481.00000000077B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Conan Fegan - Aluminium.exe
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.654938639.00000000079A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Conan Fegan - Aluminium.exe
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.650852695.00000000009C4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCallConvCdecl.exe4 vs Conan Fegan - Aluminium.exe
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs Conan Fegan - Aluminium.exe
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.900934959.0000000000C84000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCallConvCdecl.exe4 vs Conan Fegan - Aluminium.exe
Source: Conan Fegan - Aluminium.exe Binary or memory string: OriginalFilenameCallConvCdecl.exe4 vs Conan Fegan - Aluminium.exe
Uses 32bit PE files
Source: Conan Fegan - Aluminium.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.651632346.0000000003D09000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
Source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Conan Fegan - Aluminium.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Conan Fegan - Aluminium.exe, frmlogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Conan Fegan - Aluminium.exe.960000.0.unpack, frmlogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Conan Fegan - Aluminium.exe.960000.0.unpack, frmlogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.Conan Fegan - Aluminium.exe.c20000.1.unpack, frmlogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.Conan Fegan - Aluminium.exe.c20000.0.unpack, frmlogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@88/2
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 5_2_0040650A
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 5_2_0040434D
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Conan Fegan - Aluminium.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: Conan Fegan - Aluminium.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: unknown Process created: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe 'C:\Users\user\Desktop\Conan Fegan - Aluminium.exe'
Source: unknown Process created: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe C:\Users\user\Desktop\Conan Fegan - Aluminium.exe
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process created: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Conan Fegan - Aluminium.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Conan Fegan - Aluminium.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Conan Fegan - Aluminium.exe, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Conan Fegan - Aluminium.exe.960000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Conan Fegan - Aluminium.exe.960000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Conan Fegan - Aluminium.exe.c20000.1.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Conan Fegan - Aluminium.exe.c20000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Yara detected aPLib compressed binary
Source: Yara match File source: 00000000.00000002.651632346.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 7008, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 4748, type: MEMORY
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A365E8 push esp; retf 0_2_07A365E9
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 0_2_07A3E9FD push FFFFFF8Bh; iretd 0_2_07A3E9FF
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AD4
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AFC
Source: initial sample Static PE information: section name: .text entropy: 7.26782540442
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 4748, type: MEMORY
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe TID: 3716 Thread sleep time: -103082s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe TID: 684 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe TID: 4600 Thread sleep time: -960000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Conan Fegan - Aluminium.exe, 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h] 5_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap, 5_2_00402B7C
Enables debug privileges
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Memory written: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Process created: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Jump to behavior
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.901234801.0000000001810000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.901234801.0000000001810000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.901234801.0000000001810000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Conan Fegan - Aluminium.exe, 00000005.00000002.901234801.0000000001810000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: 5_2_00406069 GetUserNameW, 5_2_00406069
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Lokibot
Source: Yara match File source: 00000000.00000002.651632346.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 7008, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 4748, type: MEMORY
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.901084712.000000000121A000.00000004.00000001.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: PopPassword 5_2_0040D069
Source: C:\Users\user\Desktop\Conan Fegan - Aluminium.exe Code function: SmtpPassword 5_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.651632346.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.900810400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.651436438.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Conan Fegan - Aluminium.exe PID: 7008, type: MEMORY
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3e3d4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Conan Fegan - Aluminium.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3eccf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.2d63264.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Conan Fegan - Aluminium.exe.3dfbac0.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.901084712.000000000121A000.00000004.00000001.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.170.84.89
 unknown Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.ritcophysiotherapy.com.au 203.170.84.89 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php true
  • Avira URL Cloud: safe
 unknown
http://www.ritcophysiotherapy.com.au/wap121/five/fre.php true
  • Avira URL Cloud: safe
 unknown
http://alphastand.top/alien/fre.php true
  • Avira URL Cloud: safe
 unknown
http://alphastand.win/alien/fre.php true
  • Avira URL Cloud: safe
 unknown
http://alphastand.trade/alien/fre.php true
  • Avira URL Cloud: safe
 unknown
https://www.ritcophysiotherapy.com.au/wap121/five/fre.php true
  • Avira URL Cloud: safe
 unknown