Windows Analysis Report
Payment_copy28476450.exe

Overview

General Information

Sample Name: Payment_copy28476450.exe
Analysis ID: 753423
MD5: 70e90926399154c2708801a73cf53d99
SHA1: 0eaff8f1cde17a392d9e7935bae96f21c91acc3c
SHA256: c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
Tags: exeloki
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: Payment_copy28476450.exe ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe Virustotal: Detection: 41% Perma Link
Source: http://sempersim.su/gl20/fre.php Avira URL Cloud: Label: malware
Source: sempersim.su Virustotal: Detection: 25% Perma Link
Source: http://sempersim.su/gl20/fre.php Virustotal: Detection: 26% Perma Link
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Virustotal: Detection: 22% Perma Link
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Virustotal: Detection: 22% Perma Link
Source: Payment_copy28476450.exe Joe Sandbox ML: detected
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
Source: Payment_copy28476450.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle, 1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW, 1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00431227 FindFirstFileExW, 1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose, 1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 3_2_00403D74

Networking

barindex
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53731 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57686 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64382 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49699
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53203 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49700
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53107 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49701
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64601 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49702
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49705
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58595 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49706
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56331 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49707
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50506 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49709
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59082 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49712
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65198 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49713
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62910 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49714
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63863 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49715
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63229 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49716
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:54903 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49718
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51530 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49719
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56122 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49720
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52556 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49721
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61609 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49722
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52481 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49723
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53943 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49724
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56086 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49725
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56547 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49726
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59881 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49727
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58917 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49728
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50343 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49729
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62520 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49730
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55629 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49731
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52079 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49732
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56569 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49733
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61833 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49734
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65044 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49735
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60032 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49736
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49232 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49737
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56123 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49738
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59752 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49739
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52865 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49740
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57322 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49741
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62958 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49742
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64404 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49743
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62848 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49744
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55956 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49745
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57515 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49746
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51321 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49747
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61089 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49748
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62766 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49749
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60130 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49750
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62732 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49751
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60690 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49752
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56750 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49753
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59336 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49754
Source: Traffic Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52715 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49755
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: Payment_copy28476450.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment_copy28476450.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wcycejenv.exe, 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://sempersim.su/gl20/fre.php
Source: wcycejenv.exe, wcycejenv.exe, 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wcycejenv.exe, 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: unknown HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: unknown DNS traffic detected: queries for: sempersim.su
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00404ED4 recv, 3_2_00404ED4
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125

System Summary

barindex
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: initial sample Static PE information: Filename: Payment_copy28476450.exe
Source: Payment_copy28476450.exe Static file information: Suspicious name
Source: Payment_copy28476450.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 3.0.wcycejenv.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004064B0 1_2_004064B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00420069 1_2_00420069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004420D3 1_2_004420D3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004202DD 1_2_004202DD
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00420542 1_2_00420542
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0043A760 1_2_0043A760
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004027E0 1_2_004027E0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004207A7 1_2_004207A7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00420A1B 1_2_00420A1B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0043AC80 1_2_0043AC80
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0040CD62 1_2_0040CD62
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0043B0B0 1_2_0043B0B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041F0BA 1_2_0041F0BA
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0040B201 1_2_0040B201
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041F2EC 1_2_0041F2EC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00439397 1_2_00439397
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041F52D 1_2_0041F52D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041F75F 1_2_0041F75F
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0043B776 1_2_0043B776
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041F991 1_2_0041F991
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00443AF2 1_2_00443AF2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041FBD2 1_2_0041FBD2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00435BDC 1_2_00435BDC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0041FE04 1_2_0041FE04
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00441FB3 1_2_00441FB3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_0040549C 3_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_004029D4 3_2_004029D4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: String function: 00408200 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: String function: 0042C7E5 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: String function: 004338DF appears 33 times
Source: Payment_copy28476450.exe ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe Virustotal: Detection: 41%
Source: C:\Users\user\Desktop\Payment_copy28476450.exe File read: C:\Users\user\Desktop\Payment_copy28476450.exe Jump to behavior
Source: Payment_copy28476450.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment_copy28476450.exe C:\Users\user\Desktop\Payment_copy28476450.exe
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d Jump to behavior
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 3_2_0040650A
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Users\user\Desktop\Payment_copy28476450.exe File created: C:\Users\user\AppData\Local\Temp\nsg6B4C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/7@55/2
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\Payment_copy28476450.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: wcycejenv.exe, 00000003.00000003.255548634.0000000002247000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00404110 FormatMessageW,GetLastError,GetLastError,GetStdHandle,LocalFree, 1_2_00404110
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:584:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0042E02E push 59000002h; ret 1_2_0042E035
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00408250 push ecx; ret 1_2_00408263
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00444D5B push ecx; ret 1_2_00444D6E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0042942E push esp; retn 0000h 1_2_0042943E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
Source: C:\Users\user\Desktop\Payment_copy28476450.exe File created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe TID: 5324 Thread sleep time: -660000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe API coverage: 2.4 %
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle, 1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW, 1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00431227 FindFirstFileExW, 1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose, 1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 3_2_00403D74
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\Payment_copy28476450.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00430A14 IsDebuggerPresent, 1_2_00430A14
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00436D8B GetProcessHeap, 1_2_00436D8B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00428A12 mov eax, dword ptr fs:[00000030h] 1_2_00428A12
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00428AA0 mov ecx, dword ptr fs:[00000030h] 1_2_00428AA0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433950 mov eax, dword ptr fs:[00000030h] 1_2_00433950
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0043390D mov eax, dword ptr fs:[00000030h] 1_2_0043390D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004339EE mov eax, dword ptr fs:[00000030h] 1_2_004339EE
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433993 mov eax, dword ptr fs:[00000030h] 1_2_00433993
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433AF8 mov eax, dword ptr fs:[00000030h] 1_2_00433AF8
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433AB4 mov eax, dword ptr fs:[00000030h] 1_2_00433AB4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433B6D mov eax, dword ptr fs:[00000030h] 1_2_00433B6D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00433B3C mov eax, dword ptr fs:[00000030h] 1_2_00433B3C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h] 3_2_0040317B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0040812D SetUnhandledExceptionFilter, 1_2_0040812D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004085D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004085D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0042BE3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0042BE3E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_00407F97 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00407F97

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\wcycejenv.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_00436171
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_0042C1E7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_0042C370
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_0042C378
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_0042C33E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_0043647C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_00436413
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: EnumSystemLocalesW, 1_2_00436517
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_004365A2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetLocaleInfoW, 1_2_004367F5
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0043691B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetLocaleInfoW, 1_2_00436A21
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00436AF0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: GetLocaleInfoW, 1_2_0042CC9F
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_004083E2 cpuid 1_2_004083E2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 1_2_0042CCDE GetSystemTimeAsFileTime, 1_2_0042CCDE
Source: C:\Users\user\Desktop\Payment_copy28476450.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: 3_2_00406069 GetUserNameW, 3_2_00406069

Stealing of Sensitive Information

barindex
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000003.00000002.510358180.0000000000737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: PopPassword 3_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe Code function: SmtpPassword 3_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY