Windows Analysis Report
FVR-N2411-07396.exe

Overview

General Information

Sample name: FVR-N2411-07396.exe
Analysis ID: 1564533
MD5: 2f402635e17b4f0d9c0d6922d384936a
SHA1: 2753a159f2cf160733b1ceeede1db57d2dde0375
SHA256: bfd4e29505627b76243c4ea34c07b22af7edc00391b112e78c2dc3cf7a48d742
Tags: exeLokiuser-abuse_ch
Infos:

Detection

Lokibot, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Lokibot
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/soja/five/fre.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: FVR-N2411-07396.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: FVR-N2411-07396.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: FVR-N2411-07396.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: FVR-N2411-07396.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: yRKC.pdbSHA256z3 source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr
Source: Binary string: yRKC.pdb source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 4x nop then jmp 0720B48Bh 0_2_0720AD0B
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 4x nop then jmp 0810A733h 8_2_08109FB3

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49713
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49712
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49745
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49718
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49721
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49751
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49771
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49727
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49714
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49733
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49724
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49739
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49791
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49781
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49785
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49882
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49833
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49715
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49726
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49801
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49757
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49928
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49897
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49902
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49797
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49851
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49954
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49877
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49829
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49768
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49840
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49970
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49948
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49908
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49862
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49845
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49979
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49871
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49867
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49959
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49942
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49775
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49806
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49811
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49984
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49936
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49917
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49931
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49837
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49857
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49888
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49750
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49965
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49975
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49923
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49893
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49762
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49818
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49913
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49951
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49824
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs: 94.156.177.41/soja/five/fre.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.156.177.41 94.156.177.41
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_00404ED4 recv, 12_2_00404ED4
Source: unknown HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:54:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:54:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: FVR-N2411-07396.exe, 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, ZeJFfrYmOnJKS.exe, 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ZeJFfrYmOnJKS.exe, ZeJFfrYmOnJKS.exe, 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_0284D63C 0_2_0284D63C
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_04FB6CE8 0_2_04FB6CE8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_04FB0040 0_2_04FB0040
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_04FB001E 0_2_04FB001E
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_04FB6CE1 0_2_04FB6CE1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_0720C6D8 0_2_0720C6D8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_07206E08 0_2_07206E08
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_07204EC0 0_2_07204EC0
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_07206588 0_2_07206588
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_07206598 0_2_07206598
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_072052E8 0_2_072052E8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_072052F8 0_2_072052F8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_072069D0 0_2_072069D0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_00B4D63C 8_2_00B4D63C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1D708 8_2_06E1D708
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1DC28 8_2_06E1DC28
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1AA60 8_2_06E1AA60
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1D6FB 8_2_06E1D6FB
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1A7C8 8_2_06E1A7C8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1A7B8 8_2_06E1A7B8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1DCFE 8_2_06E1DCFE
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1DC1B 8_2_06E1DC1B
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_06E1AA4F 8_2_06E1AA4F
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_0810B990 8_2_0810B990
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_081069D0 8_2_081069D0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_081052F8 8_2_081052F8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_081052E8 8_2_081052E8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_08106598 8_2_08106598
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_08106E08 8_2_08106E08
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_08104EC0 8_2_08104EC0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_0040549C 12_2_0040549C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_004029D4 12_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: String function: 00405B6F appears 42 times
Sample file is different than original file name gathered from version info
Source: FVR-N2411-07396.exe, 00000000.00000002.2051846710.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000000.2006719176.0000000000726000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameyRKC.exe4 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2072739008.00000000089E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2053905676.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe Binary or memory string: OriginalFilenameyRKC.exe4 vs FVR-N2411-07396.exe
Uses 32bit PE files
Source: FVR-N2411-07396.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: FVR-N2411-07396.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZeJFfrYmOnJKS.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, apDEs3fGTU4OZfKjCi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, apDEs3fGTU4OZfKjCi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: _0020.SetAccessControl
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: _0020.AddAccessRule
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: _0020.SetAccessControl
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/13@0/1
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize, 12_2_0040434D
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File created: C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp Jump to behavior
Source: FVR-N2411-07396.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FVR-N2411-07396.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FVR-N2411-07396.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File read: C:\Users\user\Desktop\FVR-N2411-07396.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: FVR-N2411-07396.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: FVR-N2411-07396.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: FVR-N2411-07396.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: yRKC.pdbSHA256z3 source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr
Source: Binary string: yRKC.pdb source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs .Net Code: PA78pcebas System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs .Net Code: PA78pcebas System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs .Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs .Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Yara detected aPLib compressed binary
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: FVR-N2411-07396.exe Static PE information: 0xD1D92115 [Fri Jul 25 11:18:45 2081 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_0284EFB0 push esp; iretd 0_2_0284EFB1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Code function: 0_2_07200CD2 push FFFFFFBBh; ret 0_2_07200CD4
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 8_2_00B4EFB0 push esp; iretd 8_2_00B4EFB1
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_00402AC0 push eax; ret 12_2_00402AD4
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_00402AC0 push eax; ret 12_2_00402AFC
Source: FVR-N2411-07396.exe Static PE information: section name: .text entropy: 7.731637245415364
Source: ZeJFfrYmOnJKS.exe.0.dr Static PE information: section name: .text entropy: 7.731637245415364
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, kR5Zu6rQZ9pk5Z1T9Y.cs High entropy of concatenated method names: 'jWGuOxCXC4', 'MhRuvKSXgT', 'DuRupfZ1Ay', 'tA3uhkJfkR', 'EfouS7XS2b', 'UppumaWtFP', 'bbluPFD7kS', 'sgOufq0cT5', 'IUuuTVXudN', 'pyOuimrhI1'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, yoviBaDFVvgmcnwmMa.cs High entropy of concatenated method names: 'K0n7BoxZV2', 'Wx17LC0bwZ', 'JeK77k2ooD', 'WuJ7kqYBS7', 'wCb7yjedtA', 'ciw7tmU9vI', 'Dispose', 'Dh1nAmq8La', 'f8anHJsUxC', 'Ascn0Y9aWn'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, Tsw2ZcHAjSja6s8HSf.cs High entropy of concatenated method names: 'Dispose', 'ygmCRcnwmM', 'sr6WwsXyh3', 'dGqWB1boNy', 'NAPCXQI9J4', 'Y2aCzreK42', 'ProcessDialogKey', 'ktpWFF9nXe', 'fnOWCkkXrg', 'SNmWWWWFvx'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, vMlPAnTPODhkqCPJR0.cs High entropy of concatenated method names: 'MLq0hoy2Ue', 'hl50mwyNHh', 'gPr0fGL45I', 'GGg0TEiHh2', 'IPJ0B6luEl', 'DnR0dtGwtJ', 'VOh0LYHA0T', 'BMg0nXwPdR', 'C1l07tAiUr', 'SUp0KuHjox'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, BtG9i9CCpdyu6WtoZHM.cs High entropy of concatenated method names: 'H9FKXil0UO', 'Dn5KzNJYie', 'Fp8kFQCXUa', 'VAFkCw5QQX', 'WeukWTLjTC', 'l1ikoaBy3l', 't0Qk859SCT', 'Aepkgwrj9T', 'M7YkANQEa4', 'qI2kHhGIpU'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, bJK5w298pUyP0g8lHM.cs High entropy of concatenated method names: 'ssuLVRWIfh', 'yfULXJCscI', 'gNxnF7j3Xl', 'MiCnCe5j42', 'LonLYuBSmB', 'Q0NL34iD43', 'UGiLeZFNlc', 'sUUL1qI1vi', 'rvwL5G54fb', 'pMvLEjgKDX'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, ITxStP87Ysreue9pxA.cs High entropy of concatenated method names: 'aACCupDEs3', 'GTUCZ4OZfK', 'rPOC6DhkqC', 'CJRCb0jYuY', 'SKHCBfe6uc', 'qRtCdG0HaK', 'c4XT6IfENjMQ6ukpRA', 'Hfw6CVwc7KAuFuFwZb', 'qMYCC2lUw2', 'CxkCoboxni'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, apDEs3fGTU4OZfKjCi.cs High entropy of concatenated method names: 'EQiH11E60H', 'qJaH5iMy7A', 'd0wHEpcwVh', 'UYHH4apGl4', 'eqVHQxmB6A', 'gs8H9FN2jl', 'Wj5HD7Uomf', 'RrZHVKsGl3', 'l65HRoR9QF', 'vheHXHHrHD'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, FLeEUIeZnbExMFAReZ.cs High entropy of concatenated method names: 'FT4lfpFPTt', 'MpVlTX0U98', 'XpDlGOA4gv', 'XJ4lwhSrIE', 'mMIl2xhQex', 'MeRlJVW4vu', 'HsKljQ6OFE', 'wMAlcZ8gC6', 'S7bla3qhBR', 'MwjlYm5Nc6'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, xiDyMSzBX4NyV3rjYM.cs High entropy of concatenated method names: 'un0Km4gmmJ', 'fBIKfn7djX', 'rrCKThCruP', 'JX9KGnDhEl', 'm5GKw56NI7', 'QyoK2KLYsf', 'UlwKJtogKo', 'v9uKt3UC9m', 'uoSKOvNuAo', 'wvtKvT7LCK'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, mucLRtGG0HaKkrRQgu.cs High entropy of concatenated method names: 'lMNIgNwVH5', 'wwcIHiSjhi', 'g1gIxpZPU5', 'f09Iu7b1tf', 'vU0IZSS023', 'H6xxQbfqtQ', 'yrpx9KpnBU', 'zIfxDA13ZT', 'iBPxVigHX5', 'O38xRh6Rv0'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, fZoudy0p4k5NuTxMFa.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T38WRyKA3X', 'Id2WXRuY76', 'WmTWzAihLn', 'OxYoF0myjY', 'xgEoC6j6si', 'fMhoWfG7Gu', 'S03oo9D1hN', 'HppypyqXguitEsX1EEC'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, zF9nXeRHnOkkXrg5Nm.cs High entropy of concatenated method names: 'S5H7GlNfL9', 'Hi87wjG14M', 'MwM7NvgRYj', 'Tsd72m23n6', 'Mdd7JhMKMP', 'AJR7UfOiVn', 'xci7jLJ6Gq', 'fk47c7Tbd2', 'RnP7r8m7vk', 'AFy7a0H6vu'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, SNqeZA1SD2vlv8fMBa.cs High entropy of concatenated method names: 'MrMBaGUGuC', 'WNGB3EJXw3', 'afqB1pbsBg', 'AbZB5udXyD', 'HDoBwo2bja', 'gV7BN0yqy8', 'gTZB2nnnFA', 'kBLBJvaqHj', 'ugZBUuxnc8', 'Xs4BjwiDyU'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, LYuYgyidosNTOEKHfe.cs High entropy of concatenated method names: 'XKfxSpdPAA', 'lj9xPHxpgB', 'dqC0NNoZhS', 'r0C020NtFV', 'sIm0JkoAxh', 'Tvj0UUp2xS', 'X8m0jxxHh1', 'zFk0cUrVIq', 'pCE0rZW4ek', 'iMd0agXrAH'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, KyFtrLW9OxiCByct8O.cs High entropy of concatenated method names: 'FeWpYBlEv', 'yXRhD2Hgb', 'wupm6Vg8S', 'wH0PtKdrm', 'y9MTs2IgB', 'CeGibS8OO', 'a7Lt9TGVWb3kaHoWfA', 'WAWqanxCDpyPGsRlCV', 'irZnLrRH4', 'DaYKYurex'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, qQ1kUHCFvTre2fluZHZ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bpRKYhDnvP', 'JXpK33sS71', 'XTOKeMukX7', 'SvdK1i4cRY', 'aBdK5ZwZy8', 'a6dKEWGHw5', 'RJHK4XV03a'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs High entropy of concatenated method names: 'DpEoghXPVh', 'wyRoAfA078', 'lk3oHq0r5f', 'yNZo0qLoNG', 'WqGoxOv6C0', 'kZqoIH8f6q', 'JP6ouIknPJ', 'r1DoZDH6M4', 'UNToMcp8v5', 'An8o6CgMob'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, kR5Zu6rQZ9pk5Z1T9Y.cs High entropy of concatenated method names: 'jWGuOxCXC4', 'MhRuvKSXgT', 'DuRupfZ1Ay', 'tA3uhkJfkR', 'EfouS7XS2b', 'UppumaWtFP', 'bbluPFD7kS', 'sgOufq0cT5', 'IUuuTVXudN', 'pyOuimrhI1'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, yoviBaDFVvgmcnwmMa.cs High entropy of concatenated method names: 'K0n7BoxZV2', 'Wx17LC0bwZ', 'JeK77k2ooD', 'WuJ7kqYBS7', 'wCb7yjedtA', 'ciw7tmU9vI', 'Dispose', 'Dh1nAmq8La', 'f8anHJsUxC', 'Ascn0Y9aWn'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, Tsw2ZcHAjSja6s8HSf.cs High entropy of concatenated method names: 'Dispose', 'ygmCRcnwmM', 'sr6WwsXyh3', 'dGqWB1boNy', 'NAPCXQI9J4', 'Y2aCzreK42', 'ProcessDialogKey', 'ktpWFF9nXe', 'fnOWCkkXrg', 'SNmWWWWFvx'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, vMlPAnTPODhkqCPJR0.cs High entropy of concatenated method names: 'MLq0hoy2Ue', 'hl50mwyNHh', 'gPr0fGL45I', 'GGg0TEiHh2', 'IPJ0B6luEl', 'DnR0dtGwtJ', 'VOh0LYHA0T', 'BMg0nXwPdR', 'C1l07tAiUr', 'SUp0KuHjox'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, BtG9i9CCpdyu6WtoZHM.cs High entropy of concatenated method names: 'H9FKXil0UO', 'Dn5KzNJYie', 'Fp8kFQCXUa', 'VAFkCw5QQX', 'WeukWTLjTC', 'l1ikoaBy3l', 't0Qk859SCT', 'Aepkgwrj9T', 'M7YkANQEa4', 'qI2kHhGIpU'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, bJK5w298pUyP0g8lHM.cs High entropy of concatenated method names: 'ssuLVRWIfh', 'yfULXJCscI', 'gNxnF7j3Xl', 'MiCnCe5j42', 'LonLYuBSmB', 'Q0NL34iD43', 'UGiLeZFNlc', 'sUUL1qI1vi', 'rvwL5G54fb', 'pMvLEjgKDX'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, ITxStP87Ysreue9pxA.cs High entropy of concatenated method names: 'aACCupDEs3', 'GTUCZ4OZfK', 'rPOC6DhkqC', 'CJRCb0jYuY', 'SKHCBfe6uc', 'qRtCdG0HaK', 'c4XT6IfENjMQ6ukpRA', 'Hfw6CVwc7KAuFuFwZb', 'qMYCC2lUw2', 'CxkCoboxni'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, apDEs3fGTU4OZfKjCi.cs High entropy of concatenated method names: 'EQiH11E60H', 'qJaH5iMy7A', 'd0wHEpcwVh', 'UYHH4apGl4', 'eqVHQxmB6A', 'gs8H9FN2jl', 'Wj5HD7Uomf', 'RrZHVKsGl3', 'l65HRoR9QF', 'vheHXHHrHD'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, FLeEUIeZnbExMFAReZ.cs High entropy of concatenated method names: 'FT4lfpFPTt', 'MpVlTX0U98', 'XpDlGOA4gv', 'XJ4lwhSrIE', 'mMIl2xhQex', 'MeRlJVW4vu', 'HsKljQ6OFE', 'wMAlcZ8gC6', 'S7bla3qhBR', 'MwjlYm5Nc6'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, xiDyMSzBX4NyV3rjYM.cs High entropy of concatenated method names: 'un0Km4gmmJ', 'fBIKfn7djX', 'rrCKThCruP', 'JX9KGnDhEl', 'm5GKw56NI7', 'QyoK2KLYsf', 'UlwKJtogKo', 'v9uKt3UC9m', 'uoSKOvNuAo', 'wvtKvT7LCK'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, mucLRtGG0HaKkrRQgu.cs High entropy of concatenated method names: 'lMNIgNwVH5', 'wwcIHiSjhi', 'g1gIxpZPU5', 'f09Iu7b1tf', 'vU0IZSS023', 'H6xxQbfqtQ', 'yrpx9KpnBU', 'zIfxDA13ZT', 'iBPxVigHX5', 'O38xRh6Rv0'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, fZoudy0p4k5NuTxMFa.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T38WRyKA3X', 'Id2WXRuY76', 'WmTWzAihLn', 'OxYoF0myjY', 'xgEoC6j6si', 'fMhoWfG7Gu', 'S03oo9D1hN', 'HppypyqXguitEsX1EEC'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, zF9nXeRHnOkkXrg5Nm.cs High entropy of concatenated method names: 'S5H7GlNfL9', 'Hi87wjG14M', 'MwM7NvgRYj', 'Tsd72m23n6', 'Mdd7JhMKMP', 'AJR7UfOiVn', 'xci7jLJ6Gq', 'fk47c7Tbd2', 'RnP7r8m7vk', 'AFy7a0H6vu'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, SNqeZA1SD2vlv8fMBa.cs High entropy of concatenated method names: 'MrMBaGUGuC', 'WNGB3EJXw3', 'afqB1pbsBg', 'AbZB5udXyD', 'HDoBwo2bja', 'gV7BN0yqy8', 'gTZB2nnnFA', 'kBLBJvaqHj', 'ugZBUuxnc8', 'Xs4BjwiDyU'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, LYuYgyidosNTOEKHfe.cs High entropy of concatenated method names: 'XKfxSpdPAA', 'lj9xPHxpgB', 'dqC0NNoZhS', 'r0C020NtFV', 'sIm0JkoAxh', 'Tvj0UUp2xS', 'X8m0jxxHh1', 'zFk0cUrVIq', 'pCE0rZW4ek', 'iMd0agXrAH'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, KyFtrLW9OxiCByct8O.cs High entropy of concatenated method names: 'FeWpYBlEv', 'yXRhD2Hgb', 'wupm6Vg8S', 'wH0PtKdrm', 'y9MTs2IgB', 'CeGibS8OO', 'a7Lt9TGVWb3kaHoWfA', 'WAWqanxCDpyPGsRlCV', 'irZnLrRH4', 'DaYKYurex'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, qQ1kUHCFvTre2fluZHZ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bpRKYhDnvP', 'JXpK33sS71', 'XTOKeMukX7', 'SvdK1i4cRY', 'aBdK5ZwZy8', 'a6dKEWGHw5', 'RJHK4XV03a'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs High entropy of concatenated method names: 'DpEoghXPVh', 'wyRoAfA078', 'lk3oHq0r5f', 'yNZo0qLoNG', 'WqGoxOv6C0', 'kZqoIH8f6q', 'JP6ouIknPJ', 'r1DoZDH6M4', 'UNToMcp8v5', 'An8o6CgMob'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.cs High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, FZaOUuOPvnEAfIAr0M.cs High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Drops PE files
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 29E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 49E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 8B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 9B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: 9D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: AD80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: 87B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: 8260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: 97B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory allocated: A7B0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7881 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1691 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe TID: 2680 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe TID: 3720 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe TID: 6640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: FVR-N2411-07396.exe, 00000000.00000002.2072739008.00000000089E0000.00000004.08000000.00040000.00000000.sdmp, FVR-N2411-07396.exe, 00000000.00000002.2053905676.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEMu6JdlAP
Source: FVR-N2411-07396.exe, 00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZeJFfrYmOnJKS.exe, 0000000C.00000002.2128021520.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_0040317B mov eax, dword ptr fs:[00000030h] 12_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: 12_2_00402B7C GetProcessHeap,HeapAlloc, 12_2_00402B7C
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Memory written: C:\Users\user\Desktop\FVR-N2411-07396.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Memory written: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp" Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Users\user\Desktop\FVR-N2411-07396.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Queries volume information: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FVR-N2411-07396.exe PID: 1496, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.5540000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ZeJFfrYmOnJKS.exe.28dde98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a65d98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: PopPassword 12_2_0040D069
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe Code function: SmtpPassword 12_2_0040D069
Yara detected Credential Stealer
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.5540000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.ZeJFfrYmOnJKS.exe.28dde98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FVR-N2411-07396.exe.2a65d98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564533 Sample: FVR-N2411-07396.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 12 other signatures 2->49 7 FVR-N2411-07396.exe 7 2->7         started        11 ZeJFfrYmOnJKS.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\ZeJFfrYmOnJKS.exe, PE32 7->33 dropped 35 C:\...\ZeJFfrYmOnJKS.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpA6B9.tmp, XML 7->37 dropped 39 C:\Users\user\...\FVR-N2411-07396.exe.log, ASCII 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 13 FVR-N2411-07396.exe 156 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        57 Multi AV Scanner detection for dropped file 11->57 59 Tries to steal Mail credentials (via file registry) 11->59 61 Machine Learning detection for dropped file 11->61 21 schtasks.exe 1 11->21         started        23 ZeJFfrYmOnJKS.exe 11->23         started        signatures5 process6 dnsIp7 41 94.156.177.41, 49708, 49709, 49711 NET1-ASBG Bulgaria 13->41 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 71 Loading BitLocker PowerShell Module 17->71 25 WmiPrvSE.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.177.41
 unknown Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kbfvzoboss.bid/alien/fre.php false
    		high
    http://alphastand.win/alien/fre.php false
      		high
      http://alphastand.trade/alien/fre.php false
        		high
        http://alphastand.top/alien/fre.php false
          		high
          http://94.156.177.41/soja/five/fre.php true
          • Avira URL Cloud: safe
          		 unknown
          94.156.177.41/soja/five/fre.php true
          • Avira URL Cloud: safe
          		 unknown