Windows Analysis Report
Payment_copy28476450.exe

AV Detection

Source: Payment_copy28476450.exe	ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe	Virustotal: Detection: 41%			Perma Link

Source: http://sempersim.su/gl20/fre.php

Avira URL Cloud: Label: malware

Source: sempersim.su	Virustotal: Detection: 25%			Perma Link
Source: http://sempersim.su/gl20/fre.php	Virustotal: Detection: 26%			Perma Link

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Virustotal: Detection: 22%			Perma Link
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	Virustotal: Detection: 22%			Perma Link

Source: Payment_copy28476450.exe

Joe Sandbox ML: detected

Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Compliance

Source: Payment_copy28476450.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,		0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00402654 FindFirstFileA,		0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,		1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW,		1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00431227 FindFirstFileExW,		1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose,		1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,		3_2_00403D74

Networking

Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53731 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57686 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64382 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53203 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64601 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49702
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49705
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49706
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56331 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49707
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50506 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49714
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63863 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63229 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49716
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:54903 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49718
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51530 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49720
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52556 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49721
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61609 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49722
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52481 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53943 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49724
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56086 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49725
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56547 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49726
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59881 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49727
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49728
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50343 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49729
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62520 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49730
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55629 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49731
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52079 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49732
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56569 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49733
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49734
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49735
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60032 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49736
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49737
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49738
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49739
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52865 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49740
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57322 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49741
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49742
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64404 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49743
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49744
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55956 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49745
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57515 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49746
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51321 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49747
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61089 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49748
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62766 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49749
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60130 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49750
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62732 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49751
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60690 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49752
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56750 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49753
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59336 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49754
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52715 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49755

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close

Source: Payment_copy28476450.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment_copy28476450.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wcycejenv.exe, 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://sempersim.su/gl20/fre.php
Source: wcycejenv.exe, wcycejenv.exe, 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wcycejenv.exe, 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close

Source: unknown

DNS traffic detected: queries for: sempersim.su

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_00404ED4 recv,

3_2_00404ED4

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405125

System Summary

Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: initial sample

Static PE information: Filename: Payment_copy28476450.exe

Source: Payment_copy28476450.exe

Static file information: Suspicious name

Source: Payment_copy28476450.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.wcycejenv.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00406333		0_2_00406333
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00404936		0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004064B0		1_2_004064B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420069		1_2_00420069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004420D3		1_2_004420D3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004202DD		1_2_004202DD
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420542		1_2_00420542
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043A760		1_2_0043A760
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004027E0		1_2_004027E0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004207A7		1_2_004207A7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420A1B		1_2_00420A1B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043AC80		1_2_0043AC80
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040CD62		1_2_0040CD62
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043B0B0		1_2_0043B0B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F0BA		1_2_0041F0BA
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040B201		1_2_0040B201
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F2EC		1_2_0041F2EC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00439397		1_2_00439397
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F52D		1_2_0041F52D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F75F		1_2_0041F75F
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043B776		1_2_0043B776
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F991		1_2_0041F991
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00443AF2		1_2_00443AF2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041FBD2		1_2_0041FBD2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00435BDC		1_2_00435BDC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041FE04		1_2_0041FE04
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00441FB3		1_2_00441FB3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_0040549C		3_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_004029D4		3_2_004029D4

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 00408200 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 0042C7E5 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 004338DF appears 33 times

Source: Payment_copy28476450.exe	ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File read: C:\Users\user\Desktop\Payment_copy28476450.exe

Jump to behavior

Source: Payment_copy28476450.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_copy28476450.exe C:\Users\user\Desktop\Payment_copy28476450.exe
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d			Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

3_2_0040650A

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File created: C:\Users\user\AppData\Local\Temp\nsg6B4C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@55/2

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043F5

Source: wcycejenv.exe, 00000003.00000003.255548634.0000000002247000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00404110 FormatMessageW,GetLastError,GetLastError,GetStdHandle,LocalFree,

1_2_00404110

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:584:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042E02E push 59000002h; ret		1_2_0042E035
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00408250 push ecx; ret		1_2_00408263
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00444D5B push ecx; ret		1_2_00444D6E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042942E push esp; retn 0000h		1_2_0042943E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00402AC0 push eax; ret		3_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00402AC0 push eax; ret		3_2_00402AFC

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	File created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe TID: 5324

Thread sleep time: -660000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

API coverage: 2.4 %

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,		0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00402654 FindFirstFileA,		0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,		1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW,		1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00431227 FindFirstFileExW,		1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose,		1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,		3_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00430A14 IsDebuggerPresent,

1_2_00430A14

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00436D8B GetProcessHeap,

1_2_00436D8B

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00428A12 mov eax, dword ptr fs:[00000030h]		1_2_00428A12
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00428AA0 mov ecx, dword ptr fs:[00000030h]		1_2_00428AA0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433950 mov eax, dword ptr fs:[00000030h]		1_2_00433950
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043390D mov eax, dword ptr fs:[00000030h]		1_2_0043390D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004339EE mov eax, dword ptr fs:[00000030h]		1_2_004339EE
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433993 mov eax, dword ptr fs:[00000030h]		1_2_00433993
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433AF8 mov eax, dword ptr fs:[00000030h]		1_2_00433AF8
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433AB4 mov eax, dword ptr fs:[00000030h]		1_2_00433AB4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433B6D mov eax, dword ptr fs:[00000030h]		1_2_00433B6D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433B3C mov eax, dword ptr fs:[00000030h]		1_2_00433B3C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]		3_2_0040317B

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040812D SetUnhandledExceptionFilter,		1_2_0040812D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004085D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_004085D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042BE3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0042BE3E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00407F97 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00407F97

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\wcycejenv.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		1_2_00436171
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_0042C1E7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_0042C370
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_0042C378
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_0042C33E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_0043647C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_00436413
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,		1_2_00436517
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		1_2_004365A2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,		1_2_004367F5
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		1_2_0043691B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,		1_2_00436A21
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		1_2_00436AF0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,		1_2_0042CC9F

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_004083E2 cpuid

1_2_004083E2

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_0042CCDE GetSystemTimeAsFileTime,

1_2_0042CCDE

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_00406069 GetUserNameW,

3_2_00406069

Stealing of Sensitive Information

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.510358180.0000000000737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: PopPassword		3_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: SmtpPassword		3_2_0040D069

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY